Pay 6806

package.json

@@ -48,7 +48,7 @@
   "dependencies": {
     "@babel/eslint-parser": "^7.11.0",
     "@babel/helper-create-class-features-plugin": "^7.21.8",
-    "@hmcts/ccpay-web-component": "6.0.13",
+    "@hmcts/ccpay-web-component": "6.0.18-beta1",
     "@hmcts/cookie-manager": "^1.0.0",
     "@hmcts/nodejs-healthcheck": "^1.8.0",
     "@hmcts/nodejs-logging": "^4.0.4",

yarn-audit-known-issues

@@ -1 +1 @@
-{"actions":[],"advisories":{"1092972":{"findings":[{"version":"2.88.0","paths":["request","request-promise-native>request","request-promise-native>request-promise-core>request"]}],"metadata":null,"vulnerable_versions":"<=2.88.2","module_name":"request","severity":"moderate","github_advisory_id":"GHSA-p8p7-x288-28g6","cves":["CVE-2023-28155"],"access":"public","patched_versions":"<0.0.0","cvss":{"score":6.1,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},"updated":"2023-08-14T20:53:47.000Z","recommendation":"None","cwe":["CWE-918"],"found_by":null,"deleted":null,"id":1092972,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2023-28155\n- https://github.com/request/request/issues/3442\n- https://github.com/request/request/pull/3444\n- https://doyensec.com/resources/Doyensec_Advisory_RequestSSRF_Q12023.pdf\n- https://security.netapp.com/advisory/ntap-20230413-0007/\n- https://github.com/github/advisory-database/pull/2500\n- https://github.com/cypress-io/request/blob/master/lib/redirect.js#L116\n- https://github.com/request/request/blob/master/lib/redirect.js#L111\n- https://github.com/cypress-io/request/pull/28\n- https://github.com/cypress-io/request/commit/c5bcf21d40fb61feaff21a0e5a2b3934a440024f\n- https://github.com/cypress-io/request/releases/tag/v3.0.0\n- https://github.com/advisories/GHSA-p8p7-x288-28g6","created":"2023-03-16T15:30:19.000Z","reported_by":null,"title":"Server-Side Request Forgery in Request","npm_advisory_id":null,"overview":"The `request` package through 2.88.2 for Node.js and the `@cypress/request` package prior to 3.0.0 allow a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP).\n\nNOTE: The `request` package is no longer supported by the maintainer.","url":"https://github.com/advisories/GHSA-p8p7-x288-28g6"},"1096460":{"findings":[{"version":"2.0.0","paths":["fsevents>nan>node-gyp>make-fetch-happen>socks-proxy-agent>socks>ip","mocha-junit-reporter>mocha>chokidar>fsevents>nan>node-gyp>make-fetch-happen>socks-proxy-agent>socks>ip"]}],"metadata":null,"vulnerable_versions":"<=2.0.0","module_name":"ip","severity":"high","github_advisory_id":"GHSA-78xj-cgh5-2h22","cves":["CVE-2023-42282"],"access":"public","patched_versions":"<0.0.0","cvss":{"score":0,"vectorString":null},"updated":"2024-02-12T20:17:09.000Z","recommendation":"None","cwe":[],"found_by":null,"deleted":null,"id":1096460,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2023-42282\n- https://cosmosofcyberspace.github.io/npm_ip_cve/npm_ip_cve.html\n- https://github.com/JoshGlazebrook/socks/issues/93#issue-2128357447\n- https://github.com/github/advisory-database/pull/3504#issuecomment-1937179999\n- https://github.com/advisories/GHSA-78xj-cgh5-2h22","created":"2024-02-08T18:30:39.000Z","reported_by":null,"title":"NPM IP package vulnerable to Server-Side Request Forgery (SSRF) attacks","npm_advisory_id":null,"overview":"An issue in all published versions of the NPM package `ip` allows an attacker to execute arbitrary code and obtain sensitive information via the `isPublic()` function. This can lead to potential Server-Side Request Forgery (SSRF) attacks. The core issue is the function's failure to accurately distinguish between public and private IP addresses.","url":"https://github.com/advisories/GHSA-78xj-cgh5-2h22"}},"muted":[],"metadata":{"vulnerabilities":{"info":0,"low":0,"moderate":3,"high":2,"critical":0},"dependencies":671,"devDependencies":32,"optionalDependencies":0,"totalDependencies":703}}
+{"actions":[],"advisories":{"1092972":{"findings":[{"version":"2.88.0","paths":["request","request-promise-native>request","request-promise-native>request-promise-core>request"]}],"metadata":null,"vulnerable_versions":"<=2.88.2","module_name":"request","severity":"moderate","github_advisory_id":"GHSA-p8p7-x288-28g6","cves":["CVE-2023-28155"],"access":"public","patched_versions":"<0.0.0","cvss":{"score":6.1,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},"updated":"2023-08-14T20:53:47.000Z","recommendation":"None","cwe":["CWE-918"],"found_by":null,"deleted":null,"id":1092972,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2023-28155\n- https://github.com/request/request/issues/3442\n- https://github.com/request/request/pull/3444\n- https://doyensec.com/resources/Doyensec_Advisory_RequestSSRF_Q12023.pdf\n- https://security.netapp.com/advisory/ntap-20230413-0007/\n- https://github.com/github/advisory-database/pull/2500\n- https://github.com/cypress-io/request/blob/master/lib/redirect.js#L116\n- https://github.com/request/request/blob/master/lib/redirect.js#L111\n- https://github.com/cypress-io/request/pull/28\n- https://github.com/cypress-io/request/commit/c5bcf21d40fb61feaff21a0e5a2b3934a440024f\n- https://github.com/cypress-io/request/releases/tag/v3.0.0\n- https://github.com/advisories/GHSA-p8p7-x288-28g6","created":"2023-03-16T15:30:19.000Z","reported_by":null,"title":"Server-Side Request Forgery in Request","npm_advisory_id":null,"overview":"The `request` package through 2.88.2 for Node.js and the `@cypress/request` package prior to 3.0.0 allow a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP).\n\nNOTE: The `request` package is no longer supported by the maintainer.","url":"https://github.com/advisories/GHSA-p8p7-x288-28g6"},"1096519":{"findings":[{"version":"2.0.0","paths":["fsevents>nan>node-gyp>make-fetch-happen>socks-proxy-agent>socks>ip","mocha-junit-reporter>mocha>chokidar>fsevents>nan>node-gyp>make-fetch-happen>socks-proxy-agent>socks>ip"]}],"metadata":null,"vulnerable_versions":"=2.0.0","module_name":"ip","severity":"moderate","github_advisory_id":"GHSA-78xj-cgh5-2h22","cves":["CVE-2023-42282"],"access":"public","patched_versions":">=2.0.1","cvss":{"score":0,"vectorString":null},"updated":"2024-02-20T18:30:41.000Z","recommendation":"Upgrade to version 2.0.1 or later","cwe":[],"found_by":null,"deleted":null,"id":1096519,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2023-42282\n- https://cosmosofcyberspace.github.io/npm_ip_cve/npm_ip_cve.html\n- https://github.com/JoshGlazebrook/socks/issues/93#issue-2128357447\n- https://github.com/github/advisory-database/pull/3504#issuecomment-1937179999\n- https://github.com/indutny/node-ip/pull/138\n- https://github.com/indutny/node-ip/commit/32f468f1245574785ec080705737a579be1223aa\n- https://github.com/indutny/node-ip/commit/6a3ada9b471b09d5f0f5be264911ab564bf67894\n- https://github.com/advisories/GHSA-78xj-cgh5-2h22","created":"2024-02-08T18:30:39.000Z","reported_by":null,"title":"NPM IP package incorrectly identifies some private IP addresses as public","npm_advisory_id":null,"overview":"The `isPublic()` function in the NPM package `ip` doesn't correctly identify certain private IP addresses in uncommon formats such as `0x7F.1` as private. Instead, it reports them as public by returning `true`. This can lead to security issues such as Server-Side Request Forgery (SSRF) if `isPublic()` is used to protect sensitive code paths when passed user input. Versions 1.1.9 and 2.0.1 fix the issue.","url":"https://github.com/advisories/GHSA-78xj-cgh5-2h22"}},"muted":[],"metadata":{"vulnerabilities":{"info":0,"low":0,"moderate":5,"high":0,"critical":0},"dependencies":671,"devDependencies":32,"optionalDependencies":0,"totalDependencies":703}}

yarn.lock

@@ -2830,15 +2830,15 @@ __metadata:
   languageName: node
   linkType: hard
 
-"@hmcts/ccpay-web-component@npm:6.0.13":
-  version: 6.0.13
-  resolution: "@hmcts/ccpay-web-component@npm:6.0.13"
+"@hmcts/ccpay-web-component@npm:6.0.18-beta1":
+  version: 6.0.18-beta1
+  resolution: "@hmcts/ccpay-web-component@npm:6.0.18-beta1"
   dependencies:
     tslib: ^2.3.0
   peerDependencies:
     "@angular/common": ^16.1.6
     "@angular/core": ^16.1.6
-  checksum: b6859ff5f3e77c2de70d42c6e4d24d382a3c1b55b69f777e36f1dd778de3d3d3631a1b528d9feb6edc4be795e66e83f4ad0f25b9bddd99cb1b2003aa49d9a4a3
+  checksum: 41606c94eb3f2bcab77928da6a86c1d699520e70e7d9cde6b19d95466a974bb9cfa9762327de8283a4728381196e9ef5e2c26574b80761eddc7b734c24d74474
   languageName: node
   linkType: hard
 
@@ -6786,7 +6786,7 @@ __metadata:
     "@babel/helper-create-class-features-plugin": ^7.21.8
     "@codeceptjs/allure-legacy": ^1.0.2
     "@codeceptjs/helper": ^1.0.2
-    "@hmcts/ccpay-web-component": 6.0.13
+    "@hmcts/ccpay-web-component": 6.0.18-beta1
     "@hmcts/cookie-manager": ^1.0.0
     "@hmcts/eslint-config": ^1.4.0
     "@hmcts/nodejs-healthcheck": ^1.8.0