From 1f368253140fb6d048a072e692ea41ad49c74844 Mon Sep 17 00:00:00 2001 From: Oliver Byford Date: Mon, 30 Mar 2026 13:41:04 +0100 Subject: [PATCH 1/4] Fix non-dev vulnerabilities MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fix 4 vulnerabilities (1 moderate, 3 high) by running `npm audit fix --omit=dev`: ## brace-expansion <1.1.13 Severity: moderate brace-expansion: Zero-step sequence causes process hang and memory exhaustion - https://github.com/advisories/GHSA-f886-m6hf-6m8v fix available via `npm audit fix` node_modules/brace-expansion Transitive dependency of glob and nodemon: ``` $ npm ls brace-expansion govuk-prototype-kit@13.19.1 /Users/oliver.byford/Code/govuk-prototype-kit ├─┬ glob@10.5.0 │ └─┬ minimatch@9.0.9 │ └── brace-expansion@2.0.2 └─┬ nodemon@3.0.3 └─┬ minimatch@3.1.5 └── brace-expansion@1.1.12 ``` Fix by updating to 1.1.13 and 2.0.3. Changes: - https://npmdiff.dev/brace-expansion/1.1.12/1.1.13/ - https://npmdiff.dev/brace-expansion/2.0.2/2.0.3/ ## path-to-regexp <0.1.13 Severity: high path-to-regexp vulnerable to Regular Expression Denial of Service via multiple route parameters - https://github.com/advisories/GHSA-37ch-88jc-xwx2 fix available via `npm audit fix` node_modules/path-to-regexp Transitive dependency of express: ``` $ npm ls path-to-regexp govuk-prototype-kit@13.19.1 /Users/oliver.byford/Code/govuk-prototype-kit └─┬ express@4.22.1 └── path-to-regexp@0.1.12 ``` Fix by updating to 0.1.13. Changes: https://npmdiff.dev/path-to-regexp/0.1.12/0.1.13/ ## picomatch <=2.3.1 Severity: high Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching - https://github.com/advisories/GHSA-3v7f-55p6-f55p Picomatch has a ReDoS vulnerability via extglob quantifiers - https://github.com/advisories/GHSA-c2c7-rcm5-vvqj fix available via `npm audit fix` node_modules/picomatch Transitive dependency of browser-sync, chokidar and jest-environment-jsdom: ``` $ npm ls picomatch govuk-prototype-kit@13.19.1 /Users/oliver.byford/Code/govuk-prototype-kit ├─┬ browser-sync@3.0.4 │ └─┬ micromatch@4.0.8 │ └── picomatch@2.3.1 ├─┬ chokidar@3.6.0 │ ├─┬ anymatch@3.1.2 │ │ └── picomatch@2.3.1 deduped │ └─┬ readdirp@3.6.0 │ └── picomatch@2.3.1 deduped └─┬ jest-environment-jsdom@29.7.0 └─┬ jest-util@29.7.0 └── picomatch@2.3.1 deduped ``` Fix by updating to 2.3.2. Changes: https://npmdiff.dev/picomatch/2.3.1/2.3.2/ ## socket.io-parser 4.0.0 - 4.2.5 Severity: high socket.io allows an unbounded number of binary attachments - https://github.com/advisories/GHSA-677m-j7p3-52f9 fix available via `npm audit fix` node_modules/socket.io-parser Transitive dependency of browser-sync: ``` $ npm ls socket.io-parser govuk-prototype-kit@13.19.1 /Users/oliver.byford/Code/govuk-prototype-kit └─┬ browser-sync@3.0.4 ├─┬ browser-sync-ui@3.0.4 │ └─┬ socket.io-client@4.8.1 │ └── socket.io-parser@4.2.4 deduped └─┬ socket.io@4.8.1 └── socket.io-parser@4.2.4 ``` Fix by updating to 4.2.6. Changes: https://npmdiff.dev/socket.io-parser/4.2.4/4.2.6/ --- npm-shrinkwrap.json | 84 ++++++++++++++++++++++++--------------------- 1 file changed, 44 insertions(+), 40 deletions(-) diff --git a/npm-shrinkwrap.json b/npm-shrinkwrap.json index 5e2bf3307f..240a382555 100644 --- a/npm-shrinkwrap.json +++ b/npm-shrinkwrap.json @@ -3050,9 +3050,9 @@ "dev": true }, "node_modules/brace-expansion": { - "version": "1.1.12", - "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.12.tgz", - "integrity": "sha512-9T9UjW3r0UW5c1Q7GTwllptXwhvYmEzFhzMfZ9H7FQWt+uZePjZPjBP/W1ZEyZ1twGWom5/56TF4lPcqjnDHcg==", + "version": "1.1.13", + "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.13.tgz", + "integrity": "sha512-9ZLprWS6EENmhEOpjCYW2c8VkmOvckIJZfkr7rBW6dObmfgJ/L1GpSYW5Hpo9lDz4D1+n0Ckz8rU7FwHDQiG/w==", "license": "MIT", "dependencies": { "balanced-match": "^1.0.0", @@ -9472,9 +9472,9 @@ } }, "node_modules/path-to-regexp": { - "version": "0.1.12", - "resolved": "https://registry.npmjs.org/path-to-regexp/-/path-to-regexp-0.1.12.tgz", - "integrity": "sha512-RA1GjUVMnvYFxuqovrEqZoxxW5NUZqbwKtYz/Tt7nXerk0LbLblQmrsgdeOxV5SFHf0UDggjS/bSeOZwt1pmEQ==", + "version": "0.1.13", + "resolved": "https://registry.npmjs.org/path-to-regexp/-/path-to-regexp-0.1.13.tgz", + "integrity": "sha512-A/AGNMFN3c8bOlvV9RreMdrv7jsmF9XIfDeCd87+I8RNg6s78BhJxMu69NEMHBSJFxKidViTEdruRwEk/WIKqA==", "license": "MIT" }, "node_modules/path-type": { @@ -9514,9 +9514,10 @@ "license": "ISC" }, "node_modules/picomatch": { - "version": "2.3.1", - "resolved": "https://registry.npmjs.org/picomatch/-/picomatch-2.3.1.tgz", - "integrity": "sha512-JU3teHTNjmE2VCGFzuY8EXzCDVwEqB2a8fsIvwaStHhAWJEeVd1o1QD80CU6+ZdEXXSLbSsuLwJjkCBWqRQUVA==", + "version": "2.3.2", + "resolved": "https://registry.npmjs.org/picomatch/-/picomatch-2.3.2.tgz", + "integrity": "sha512-V7+vQEJ06Z+c5tSye8S+nHUfI51xoXIXjHQ99cQtKUkQqqO1kO/KCJUfZXuB47h/YBlDhah2H3hdUGXn8ie0oA==", + "license": "MIT", "engines": { "node": ">=8.6" }, @@ -10812,23 +10813,25 @@ "license": "MIT" }, "node_modules/socket.io-parser": { - "version": "4.2.4", - "resolved": "https://registry.npmjs.org/socket.io-parser/-/socket.io-parser-4.2.4.tgz", - "integrity": "sha512-/GbIKmo8ioc+NIWIhwdecY0ge+qVBSMdgxGygevmdHj24bsfgtCmcUUcQ5ZzcylGFHsN3k4HB4Cgkl96KVnuew==", + "version": "4.2.6", + "resolved": "https://registry.npmjs.org/socket.io-parser/-/socket.io-parser-4.2.6.tgz", + "integrity": "sha512-asJqbVBDsBCJx0pTqw3WfesSY0iRX+2xzWEWzrpcH7L6fLzrhyF8WPI8UaeM4YCuDfpwA/cgsdugMsmtz8EJeg==", + "license": "MIT", "dependencies": { "@socket.io/component-emitter": "~3.1.0", - "debug": "~4.3.1" + "debug": "~4.4.1" }, "engines": { "node": ">=10.0.0" } }, "node_modules/socket.io-parser/node_modules/debug": { - "version": "4.3.4", - "resolved": "https://registry.npmjs.org/debug/-/debug-4.3.4.tgz", - "integrity": "sha512-PRWFHuSU3eDtQJPvnNY7Jcket1j0t5OuOsFzPPzsekD52Zl8qUfFIPEiswXqIvHWGVHOgX+7G/vCNNhehwxfkQ==", + "version": "4.4.3", + "resolved": "https://registry.npmjs.org/debug/-/debug-4.4.3.tgz", + "integrity": "sha512-RGwwWnwQvkVfavKVt22FGLw+xYSdzARwm0ru6DhTVA3umU5hZc28V3kO4stgYryrTlLpuvgI9GiijltAjNbcqA==", + "license": "MIT", "dependencies": { - "ms": "2.1.2" + "ms": "^2.1.3" }, "engines": { "node": ">=6.0" @@ -10840,9 +10843,10 @@ } }, "node_modules/socket.io-parser/node_modules/ms": { - "version": "2.1.2", - "resolved": "https://registry.npmjs.org/ms/-/ms-2.1.2.tgz", - "integrity": "sha512-sGkPx+VjMtmA6MX27oA4FBFELFCZZ4S4XqeGOXCv68tT+jb3vk/RyaKWP0PTKyWtmLSM0b+adUTEvbs1PEaH2w==" + "version": "2.1.3", + "resolved": "https://registry.npmjs.org/ms/-/ms-2.1.3.tgz", + "integrity": "sha512-6FlzubTLZG3J2a/NVCAleEhjzq5oxgHyaCU9yYXvcLsvoVaHJq/s5xXI6/XXP6tz7R9xAOtHnSO/tXtF3WRTlA==", + "license": "MIT" }, "node_modules/socket.io/node_modules/debug": { "version": "4.3.4", @@ -14574,9 +14578,9 @@ "dev": true }, "brace-expansion": { - "version": "1.1.12", - "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.12.tgz", - "integrity": "sha512-9T9UjW3r0UW5c1Q7GTwllptXwhvYmEzFhzMfZ9H7FQWt+uZePjZPjBP/W1ZEyZ1twGWom5/56TF4lPcqjnDHcg==", + "version": "1.1.13", + "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.13.tgz", + "integrity": "sha512-9ZLprWS6EENmhEOpjCYW2c8VkmOvckIJZfkr7rBW6dObmfgJ/L1GpSYW5Hpo9lDz4D1+n0Ckz8rU7FwHDQiG/w==", "requires": { "balanced-match": "^1.0.0", "concat-map": "0.0.1" @@ -19165,9 +19169,9 @@ } }, "path-to-regexp": { - "version": "0.1.12", - "resolved": "https://registry.npmjs.org/path-to-regexp/-/path-to-regexp-0.1.12.tgz", - "integrity": "sha512-RA1GjUVMnvYFxuqovrEqZoxxW5NUZqbwKtYz/Tt7nXerk0LbLblQmrsgdeOxV5SFHf0UDggjS/bSeOZwt1pmEQ==" + "version": "0.1.13", + "resolved": "https://registry.npmjs.org/path-to-regexp/-/path-to-regexp-0.1.13.tgz", + "integrity": "sha512-A/AGNMFN3c8bOlvV9RreMdrv7jsmF9XIfDeCd87+I8RNg6s78BhJxMu69NEMHBSJFxKidViTEdruRwEk/WIKqA==" }, "path-type": { "version": "4.0.0", @@ -19202,9 +19206,9 @@ "dev": true }, "picomatch": { - "version": "2.3.1", - "resolved": "https://registry.npmjs.org/picomatch/-/picomatch-2.3.1.tgz", - "integrity": "sha512-JU3teHTNjmE2VCGFzuY8EXzCDVwEqB2a8fsIvwaStHhAWJEeVd1o1QD80CU6+ZdEXXSLbSsuLwJjkCBWqRQUVA==" + "version": "2.3.2", + "resolved": "https://registry.npmjs.org/picomatch/-/picomatch-2.3.2.tgz", + "integrity": "sha512-V7+vQEJ06Z+c5tSye8S+nHUfI51xoXIXjHQ99cQtKUkQqqO1kO/KCJUfZXuB47h/YBlDhah2H3hdUGXn8ie0oA==" }, "pify": { "version": "2.3.0", @@ -20151,26 +20155,26 @@ } }, "socket.io-parser": { - "version": "4.2.4", - "resolved": "https://registry.npmjs.org/socket.io-parser/-/socket.io-parser-4.2.4.tgz", - "integrity": "sha512-/GbIKmo8ioc+NIWIhwdecY0ge+qVBSMdgxGygevmdHj24bsfgtCmcUUcQ5ZzcylGFHsN3k4HB4Cgkl96KVnuew==", + "version": "4.2.6", + "resolved": "https://registry.npmjs.org/socket.io-parser/-/socket.io-parser-4.2.6.tgz", + "integrity": "sha512-asJqbVBDsBCJx0pTqw3WfesSY0iRX+2xzWEWzrpcH7L6fLzrhyF8WPI8UaeM4YCuDfpwA/cgsdugMsmtz8EJeg==", "requires": { "@socket.io/component-emitter": "~3.1.0", - "debug": "~4.3.1" + "debug": "~4.4.1" }, "dependencies": { "debug": { - "version": "4.3.4", - "resolved": "https://registry.npmjs.org/debug/-/debug-4.3.4.tgz", - "integrity": "sha512-PRWFHuSU3eDtQJPvnNY7Jcket1j0t5OuOsFzPPzsekD52Zl8qUfFIPEiswXqIvHWGVHOgX+7G/vCNNhehwxfkQ==", + "version": "4.4.3", + "resolved": "https://registry.npmjs.org/debug/-/debug-4.4.3.tgz", + "integrity": "sha512-RGwwWnwQvkVfavKVt22FGLw+xYSdzARwm0ru6DhTVA3umU5hZc28V3kO4stgYryrTlLpuvgI9GiijltAjNbcqA==", "requires": { - "ms": "2.1.2" + "ms": "^2.1.3" } }, "ms": { - "version": "2.1.2", - "resolved": "https://registry.npmjs.org/ms/-/ms-2.1.2.tgz", - "integrity": "sha512-sGkPx+VjMtmA6MX27oA4FBFELFCZZ4S4XqeGOXCv68tT+jb3vk/RyaKWP0PTKyWtmLSM0b+adUTEvbs1PEaH2w==" + "version": "2.1.3", + "resolved": "https://registry.npmjs.org/ms/-/ms-2.1.3.tgz", + "integrity": "sha512-6FlzubTLZG3J2a/NVCAleEhjzq5oxgHyaCU9yYXvcLsvoVaHJq/s5xXI6/XXP6tz7R9xAOtHnSO/tXtF3WRTlA==" } } }, From 12615ad6a5b2f07a473fbd91e301f16f13d3caee Mon Sep 17 00:00:00 2001 From: Oliver Byford Date: Wed, 1 Apr 2026 16:00:12 +0100 Subject: [PATCH 2/4] Fix fixable dev vulnerabilities MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fix 2 vulnerabilities (1 moderate, 1 high) in our dev dependencies by running `npm audit fix`: ## brace-expansion 2.0.0 - 2.0.2 Severity: moderate brace-expansion: Zero-step sequence causes process hang and memory exhaustion - https://github.com/advisories/GHSA-f886-m6hf-6m8v fix available via `npm audit fix` node_modules/glob/node_modules/brace-expansion ``` $ npm ls brace-expansion govuk-prototype-kit@13.19.1 /Users/oliver.byford/Code/govuk-prototype-kit ├─┬ glob@10.5.0 │ └─┬ minimatch@9.0.9 │ └── brace-expansion@2.0.2 └─┬ nodemon@3.0.3 └─┬ minimatch@3.1.5 └── brace-expansion@1.1.13 ``` Fix by updating to 1.1.13 and 2.0.3. Changes: - https://npmdiff.dev/brace-expansion/1.1.12/1.1.13/ - https://npmdiff.dev/brace-expansion/2.0.2/2.0.3/ Changes already reviewed because the same bumps were made in the previous commit. ## flatted <=3.4.1 Severity: high flatted vulnerable to unbounded recursion DoS in parse() revive phase - https://github.com/advisories/GHSA-25h7-pfq9-p65f Prototype Pollution via parse() in NodeJS flatted - https://github.com/advisories/GHSA-rf6f-7fwh-wjgh fix available via `npm audit fix` node_modules/flatted ``` $ npm ls flatted govuk-prototype-kit@13.19.1 /Users/oliver.byford/Code/govuk-prototype-kit └─┬ eslint-plugin-cypress@2.15.1 └─┬ eslint@8.52.0 └─┬ file-entry-cache@6.0.1 └─┬ flat-cache@3.0.4 └── flatted@3.2.7 ``` Fix by updating to 3.4.2. Changes: https://npmdiff.dev/flatted/3.2.7/3.4.2/ This leaves 4 low severity vulnerabilities in @tootallnate/once which is blocked on updating to Jest v30 (#2515). --- npm-shrinkwrap.json | 27 ++++++++++++++------------- 1 file changed, 14 insertions(+), 13 deletions(-) diff --git a/npm-shrinkwrap.json b/npm-shrinkwrap.json index 240a382555..165e1660d8 100644 --- a/npm-shrinkwrap.json +++ b/npm-shrinkwrap.json @@ -6062,10 +6062,11 @@ } }, "node_modules/flatted": { - "version": "3.2.7", - "resolved": "https://registry.npmjs.org/flatted/-/flatted-3.2.7.tgz", - "integrity": "sha512-5nqDSxl8nn5BSNxyR3n4I6eDmbolI6WT+QqR547RwxQapgjQBmtktdP+HTBb/a/zLsbzERTONyUB5pefh5TtjQ==", - "dev": true + "version": "3.4.2", + "resolved": "https://registry.npmjs.org/flatted/-/flatted-3.4.2.tgz", + "integrity": "sha512-PjDse7RzhcPkIJwy5t7KPWQSZ9cAbzQXcafsetQoD7sOJRQlGikNbx7yZp2OotDnJyrDcbyRq3Ttb18iYOqkxA==", + "dev": true, + "license": "ISC" }, "node_modules/follow-redirects": { "version": "1.15.11", @@ -6448,9 +6449,9 @@ } }, "node_modules/glob/node_modules/brace-expansion": { - "version": "2.0.2", - "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-2.0.2.tgz", - "integrity": "sha512-Jt0vHyM+jmUBqojB7E1NIYadt0vI0Qxjxd2TErW94wDz+E2LAm5vKMXXwg6ZZBTHPuUlDgQHKXvjGBdfcF1ZDQ==", + "version": "2.0.3", + "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-2.0.3.tgz", + "integrity": "sha512-MCV/fYJEbqx68aE58kv2cA/kiky1G8vux3OR6/jbS+jIMe/6fJWa0DTzJU7dqijOWYwHi1t29FlfYI9uytqlpA==", "dev": true, "license": "MIT", "dependencies": { @@ -16731,9 +16732,9 @@ } }, "flatted": { - "version": "3.2.7", - "resolved": "https://registry.npmjs.org/flatted/-/flatted-3.2.7.tgz", - "integrity": "sha512-5nqDSxl8nn5BSNxyR3n4I6eDmbolI6WT+QqR547RwxQapgjQBmtktdP+HTBb/a/zLsbzERTONyUB5pefh5TtjQ==", + "version": "3.4.2", + "resolved": "https://registry.npmjs.org/flatted/-/flatted-3.4.2.tgz", + "integrity": "sha512-PjDse7RzhcPkIJwy5t7KPWQSZ9cAbzQXcafsetQoD7sOJRQlGikNbx7yZp2OotDnJyrDcbyRq3Ttb18iYOqkxA==", "dev": true }, "follow-redirects": { @@ -16979,9 +16980,9 @@ }, "dependencies": { "brace-expansion": { - "version": "2.0.2", - "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-2.0.2.tgz", - "integrity": "sha512-Jt0vHyM+jmUBqojB7E1NIYadt0vI0Qxjxd2TErW94wDz+E2LAm5vKMXXwg6ZZBTHPuUlDgQHKXvjGBdfcF1ZDQ==", + "version": "2.0.3", + "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-2.0.3.tgz", + "integrity": "sha512-MCV/fYJEbqx68aE58kv2cA/kiky1G8vux3OR6/jbS+jIMe/6fJWa0DTzJU7dqijOWYwHi1t29FlfYI9uytqlpA==", "dev": true, "requires": { "balanced-match": "^1.0.0" From 199d5b2d3042c17f55400f99d7df0b9dbc34c7e2 Mon Sep 17 00:00:00 2001 From: Oliver Byford Date: Tue, 7 Apr 2026 12:20:11 +0100 Subject: [PATCH 3/4] Update lodash MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fix 1 high severity vulnerability by running npm audit fix --omit=dev: ## lodash <=4.17.23 Severity: high lodash vulnerable to Code Injection via `_.template` imports key names - https://github.com/advisories/GHSA-r5fr-rjxr-66jc lodash vulnerable to Prototype Pollution via array path bypass in `_.unset` and `_.omit` - https://github.com/advisories/GHSA-f23m-r3pf-42rh fix available via `npm audit fix` node_modules/lodash lodash is a direct dependency, and a transitive dependency of browser-sync and portscanner as well as cypress and wait-on (dev dependencies): ``` % npm ls lodash govuk-prototype-kit@13.19.1 /Users/oliver.byford/Code/govuk-prototype-kit ├─┬ browser-sync@3.0.4 │ └─┬ easy-extender@2.3.4 │ └── lodash@4.17.23 deduped ├─┬ cypress@13.6.5 │ └── lodash@4.17.23 deduped ├── lodash@4.17.23 ├─┬ portscanner@2.2.0 │ └─┬ async@2.6.4 │ └── lodash@4.17.23 deduped └─┬ wait-on@7.2.0 └── lodash@4.17.23 deduped ``` Fix by updating to 4.18.1. Changes: https://npmdiff.dev/lodash/4.17.23/4.18.1/ --- npm-shrinkwrap.json | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/npm-shrinkwrap.json b/npm-shrinkwrap.json index 165e1660d8..6c690fd996 100644 --- a/npm-shrinkwrap.json +++ b/npm-shrinkwrap.json @@ -8632,9 +8632,9 @@ } }, "node_modules/lodash": { - "version": "4.17.23", - "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.17.23.tgz", - "integrity": "sha512-LgVTMpQtIopCi79SJeDiP0TfWi5CNEc/L/aRdTh3yIvmZXTnheWpKjSZhnvMl8iXbC1tFg9gdHHDMLoV7CnG+w==", + "version": "4.18.1", + "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.18.1.tgz", + "integrity": "sha512-dMInicTPVE8d1e5otfwmmjlxkZoUpiVLwyeTdUsi/Caj/gfzzblBcCE5sRHV/AsjuCmxWrte2TNGSYuCeCq+0Q==", "license": "MIT" }, "node_modules/lodash.isfinite": { @@ -18577,9 +18577,9 @@ } }, "lodash": { - "version": "4.17.23", - "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.17.23.tgz", - "integrity": "sha512-LgVTMpQtIopCi79SJeDiP0TfWi5CNEc/L/aRdTh3yIvmZXTnheWpKjSZhnvMl8iXbC1tFg9gdHHDMLoV7CnG+w==" + "version": "4.18.1", + "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.18.1.tgz", + "integrity": "sha512-dMInicTPVE8d1e5otfwmmjlxkZoUpiVLwyeTdUsi/Caj/gfzzblBcCE5sRHV/AsjuCmxWrte2TNGSYuCeCq+0Q==" }, "lodash.isfinite": { "version": "3.3.2", From 25c5ad2f875e120c04474675e54ca32fa0700a0f Mon Sep 17 00:00:00 2001 From: Oliver Byford Date: Tue, 7 Apr 2026 14:29:51 +0100 Subject: [PATCH 4/4] Document in CHANGELOG --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index fb74851c25..6b8218bd3e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -28,6 +28,7 @@ It's still possible for dependencies to execute malicious code. Make sure you on - [#2516: Update immutable](https://github.com/alphagov/govuk-prototype-kit/pull/2516) - [#2518: Only fetch plugin package info from NPM when needed](https://github.com/alphagov/govuk-prototype-kit/pull/2518) – thanks to @RichardBradley for reporting this issue and contributing a fix +- [#2524: Update brace-expansion, path-to-regexp, picomatch, socket.io-parser, lodash and other dev dependencies](https://github.com/alphagov/govuk-prototype-kit/pull/2524) ## 13.19.1