Skip to content

chore: Merge upstream/2026 06 19#633

Merged
Dashue merged 6 commits into
v2from
merge-upstream/2026-06-19
Jun 23, 2026
Merged

chore: Merge upstream/2026 06 19#633
Dashue merged 6 commits into
v2from
merge-upstream/2026-06-19

Conversation

@Dashue

@Dashue Dashue commented Jun 19, 2026

Copy link
Copy Markdown

Merging upstream containing

  • Typescript upgrade to version 5
  • Node 22 and webpack 5 upgrade
  • Form level upload api url support
  • Secure form submissions support

Dashue and others added 5 commits May 7, 2026 16:21
* update designer to use node 22 and webpack 5

* update runner to use node 22

* update submitter to use node 22

* update submitter to node 22

* update model to node 22, update babel to compile to node 22 and remove unnecessary polyfills

* remove unnecessary babel polyfills for node 22

* update queue model to target node 22

* update webpack-dev-server

* update browserlist, govuk-jsx paths

* add process.env.REACT_LOG_LEVEL as reactEnvVariable

* Use browserlist matching govuk design system

* update webpack copy plugin to latest

* force serialize-javascript resolution to 7.0.5

* fix: resolve ajv ReDoS vulnerability (GHSA-2g4f-4pwh-qvx6) by upgrading affected packages. also removed standard format/lint library since eslint/prettier is used instead.

* add seralize-javascript resolution to fix RCE vuln (GHSA-5c6j-r48x-rmvq)

* use govuk-frontend scss import rather than importing from node_modules

* add @hapi/eslint-plugin

* remove core-js polyfill for jest and prevent circular dep error

* use entry mode for useBuiltIns to resolve windows bug

* bump deps to resolve GHSA-q8mj-m7cp-5q26, GHSA-79cf-xcqc-c78w, GHSA-58qx-3vcg-4xpx

* add ws 8.21.0 resolution for  GHSA-58qx-3vcg-4xpx vuln
* Introduce extension point to facilitate secure form submissions

* Improve typings
…6-19

# Conflicts:
#	queue-model/package.json
#	runner/src/server/plugins/engine/models/submission/WebhookModel.ts
#	runner/src/server/plugins/engine/pluginHandlers/files/prehandlers/handleUpload.ts
#	runner/src/server/services/statusService.ts
#	runner/src/server/services/upload/uploadService.ts
#	runner/src/server/services/webhookService.ts
#	submitter/package.json
#	yarn.lock
@Dashue Dashue marked this pull request as ready for review June 19, 2026 14:05
@Dashue Dashue requested a review from a team as a code owner June 19, 2026 14:05
@Dashue Dashue force-pushed the merge-upstream/2026-06-19 branch 3 times, most recently from f850359 to 4b0ffeb Compare June 22, 2026 12:07
@Dashue Dashue self-assigned this Jun 22, 2026
@Dashue Dashue force-pushed the merge-upstream/2026-06-19 branch from 4b0ffeb to 8a8bf74 Compare June 22, 2026 12:20
ebadian
ebadian previously approved these changes Jun 22, 2026
http-proxy-middleware@2.0.9 – http-proxy-middleware `router` host+path substring matching allows Host-header-driven backend routing bypass (moderate severity)
GHSA-64mm-vxmg-q3vj (+2 squashed commit)

Fix formdata vulnerability
form-data@4.0.5 – form-data: CRLF injection in form-data via unescaped multipart field names and filenames (high severity)
 GHSA-hmw2-7cc7-3qxx

Fix shell-quote vulnerability
shell-quote@1.8.3 – shell-quote quote() does not escape newlines in object .op values (critical severity)
GHSA-w7jw-789q-3m8p
@Dashue Dashue force-pushed the merge-upstream/2026-06-19 branch from 8a8bf74 to 2b7090d Compare June 23, 2026 08:28
@Dashue Dashue requested a review from ebadian June 23, 2026 08:36
@Dashue Dashue merged commit 798ad85 into v2 Jun 23, 2026
4 checks passed
@Dashue Dashue deleted the merge-upstream/2026-06-19 branch June 23, 2026 10:38
@Dashue Dashue restored the merge-upstream/2026-06-19 branch June 25, 2026 15:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants