Toolkit common security changes

RELEASE-NOTES.md

@@ -1,5 +1,11 @@
 ## RELEASE NOTES
 
+### Version 7.3.58
+**EXUI-4435** CVE Vulnerabilities Apr 26
+**EXUI-4300** Suppressions - core-js - major
+**EXUI-4295** Suppressions - axios - major
+**EXUI-4369** CVE Vulnerabilites
+
 ### Version 7.3.57
 **EXUI-4298** Suppressions - express - major
 

package.json

@@ -1,6 +1,6 @@
 {
   "name": "@hmcts/ccd-case-ui-toolkit",
-  "version": "7.3.57",
+  "version": "7.3.58",
   "engines": {
     "node": ">=20.19.0"
   },
@@ -52,14 +52,14 @@
     "@angular/core": "^20.3.18",
     "@angular/forms": "^20.3.18",
     "@angular/localize": "^20.3.18",
-    "@angular/material": "^16.2.0",
+    "@angular/material": "^16.2.12",
     "@angular/platform-browser": "^20.3.18",
     "@angular/platform-browser-dynamic": "^20.3.18",
     "@angular/router": "^20.3.18",
     "@angular/upgrade": "^20.3.18",
-    "@edium/fsm": "^2.1.2",
+    "@edium/fsm": "^3.0.1",
     "@hmcts/ccpay-web-component": "6.5.17",
-    "@hmcts/media-viewer": "4.2.16",
+    "@hmcts/media-viewer": "4.2.18-exui-4295-cve-fix",
     "@ngrx/effects": "17.2.0",
     "@ngrx/store": "^17.2.0",
     "@nicky-lenaers/ngx-scroll-to": "^14.0.0",
@@ -71,24 +71,26 @@
     "moment": "^2.30.1",
     "moment-timezone": "^0.5.31",
     "ngx-chips": "^3.0.0",
-    "ngx-markdown": "^20",
+    "ngx-markdown": "20",
     "ngx-pagination": "6.0.3",
     "pegjs": "^0.10.0",
     "rpx-xui-translation": "1.2.4",
     "rx-polling-hmcts": "1.1.1",
     "rxjs": "^7.8.1",
     "rxjs-compat": "^6.6.7",
-    "underscore": "^1.9.1",
+    "underscore": "^1.13.8",
+    "yargs": "17.7.2",
+    "yargs-parser": "^21.1.1",
     "zone.js": "^0.15.1"
   },
   "devDependencies": {
-    "@angular-devkit/build-angular": "^20.3.3",
+    "@angular-devkit/build-angular": "^20.3.24",
     "@angular-eslint/builder": "^20",
     "@angular-eslint/eslint-plugin": "^20",
     "@angular-eslint/eslint-plugin-template": "^20",
     "@angular-eslint/schematics": "^20",
     "@angular-eslint/template-parser": "^20",
-    "@angular/cli": "^20.3.9",
+    "@angular/cli": "^20.3.24",
     "@angular/compiler-cli": "^20.3.18",
     "@babel/core": "^7.23.0",
     "@compodoc/compodoc": "1.1.12",
@@ -107,6 +109,7 @@
     "codecov": "^3.0.0",
     "codelyzer": "^6.0.0",
     "concurrently": "^4.0.1",
+    "core-js": "^3.49.0",
     "css-loader": "^6.7.1",
     "del": "^3.0.0",
     "eslint": "^8.57.0",
@@ -198,8 +201,7 @@
     "dns-packet": "^5.6.1",
     "hosted-git-info": "^3.0.8",
     "normalize-url": "^6.0.1",
-    "trim-newlines": "^3.0.1",
-    "typescript": "~5.9.2"
+    "trim-newlines": "^3.0.1"
   },
   "nyc": {
     "include": [

projects/ccd-case-ui-toolkit/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@hmcts/ccd-case-ui-toolkit",
-  "version": "7.3.57",
+  "version": "7.3.58",
   "engines": {
     "node": ">=20.19.0"
   },

yarn-audit-known-issues

@@ -22,7 +22,6 @@
 {"value":"picomatch","children":{"ID":1115552,"Issue":"Picomatch has a ReDoS vulnerability via extglob quantifiers","URL":"https://github.com/advisories/GHSA-c2c7-rcm5-vvqj","Severity":"high","Vulnerable Versions":"<2.3.2","Tree Versions":["2.3.1"],"Dependents":["jest-util@npm:29.7.0"]}}
 {"value":"picomatch","children":{"ID":1115554,"Issue":"Picomatch has a ReDoS vulnerability via extglob quantifiers","URL":"https://github.com/advisories/GHSA-c2c7-rcm5-vvqj","Severity":"high","Vulnerable Versions":">=4.0.0 <4.0.4","Tree Versions":["4.0.3"],"Dependents":["tinyglobby@npm:0.2.15"]}}
 {"value":"socket.io-parser","children":{"ID":1115154,"Issue":"socket.io allows an unbounded number of binary attachments","URL":"https://github.com/advisories/GHSA-677m-j7p3-52f9","Severity":"high","Vulnerable Versions":">=4.0.0 <4.2.6","Tree Versions":["4.2.4"],"Dependents":["socket.io-client@npm:4.8.1"]}}
-{"value":"underscore","children":{"ID":1117689,"Issue":"Underscore has unlimited recursion in _.flatten and _.isEqual, potential for DoS attack","URL":"https://github.com/advisories/GHSA-qpx9-hpmf-5gmw","Severity":"high","Vulnerable Versions":"<=1.13.7","Tree Versions":["1.13.7"],"Dependents":["@hmcts/ccd-case-ui-toolkit@workspace:."]}}
-{"value":"uuid","children":{"ID":1119441,"Issue":"uuid: Missing buffer bounds check in v3/v5/v6 when buf is provided","URL":"https://github.com/advisories/GHSA-w5hq-g745-h8pq","Severity":"moderate","Vulnerable Versions":"<11.1.1","Tree Versions":["11.1.0"],"Dependents":["@hmcts/media-viewer@virtual:6ff8c2a3aef81417d9f60600e3255d97c9c6c863d8733a87ed99d869392767523e0e28c07db1eb2a034bc9265813386132447698258584d621a7fd0e13d93585#npm:4.2.16"]}}
+{"value":"uuid","children":{"ID":1119441,"Issue":"uuid: Missing buffer bounds check in v3/v5/v6 when buf is provided","URL":"https://github.com/advisories/GHSA-w5hq-g745-h8pq","Severity":"moderate","Vulnerable Versions":"<11.1.1","Tree Versions":["11.1.0"],"Dependents":["@hmcts/media-viewer@virtual:6ff8c2a3aef81417d9f60600e3255d97c9c6c863d8733a87ed99d869392767523e0e28c07db1eb2a034bc9265813386132447698258584d621a7fd0e13d93585#npm:4.2.18-exui-4295-cve-fix"]}}
 {"value":"whatwg-encoding","children":{"ID":"whatwg-encoding (deprecation)","Issue":"Use @exodus/bytes instead for a more spec-conformant and faster implementation","Severity":"moderate","Vulnerable Versions":"2.0.0","Tree Versions":["2.0.0"],"Dependents":["jsdom@virtual:ce56289c4b7a2e9003d709997e253c1c80dcaee4c6fbe440cbe9ba5de5db8af3a7b7ad41bbdec5a5e3d40dc9c3c54bef92dd6885ff84cd436d636d5a1b380a61#npm:20.0.3"]}}
 {"value":"ws","children":{"ID":1119108,"Issue":"ws: Uninitialized memory disclosure","URL":"https://github.com/advisories/GHSA-58qx-3vcg-4xpx","Severity":"moderate","Vulnerable Versions":">=8.0.0 <8.20.1","Tree Versions":["8.17.1","8.18.3"],"Dependents":["engine.io-client@npm:6.6.3","jsdom@virtual:ce56289c4b7a2e9003d709997e253c1c80dcaee4c6fbe440cbe9ba5de5db8af3a7b7ad41bbdec5a5e3d40dc9c3c54bef92dd6885ff84cd436d636d5a1b380a61#npm:20.0.3"]}}