[Snyk] Upgrade: , , , , , govuk-frontend, hapi-pino, nunjucks

[GodsonLeigh]

Snyk has created this PR to upgrade multiple dependencies.

👯 The following dependencies are linked and will therefore be updated together.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

Name	Versions	Released on

@azure/msal-node
from 1.3.0 to 1.18.4 | 33 versions ahead of your current version | a year ago
on 2023-10-27
@azure/storage-blob
from 12.8.0 to 12.24.0 | 199 versions ahead of your current version | 2 months ago
on 2024-07-23
@hapi/wreck
from 17.1.0 to 17.2.0 | 1 version ahead of your current version | 2 years ago
on 2022-03-25
@hapi/hapi
from 20.2.1 to 20.3.0 | 2 versions ahead of your current version | 2 years ago
on 2023-02-14
@hapi/inert
from 6.0.3 to 6.0.5 | 2 versions ahead of your current version | 3 years ago
on 2022-01-16
govuk-frontend
from 3.14.0 to 3.15.0 | 1 version ahead of your current version | 7 months ago
on 2024-02-05
hapi-pino
from 8.3.0 to 8.5.0 | 2 versions ahead of your current version | 3 years ago
on 2021-10-08
nunjucks
from 3.2.3 to 3.2.4 | 1 version ahead of your current version | a year ago
on 2023-04-13

Issues fixed by the recommended upgrade:

	Issue	Score	Exploit Maturity
	Cross-site Request Forgery (CSRF) SNYK-JS-AXIOS-6032459	626	Proof of Concept
	Improper Input Validation SNYK-JS-FOLLOWREDIRECTS-6141137	626	Proof of Concept
	Cross-site Scripting (XSS) SNYK-JS-NUNJUCKS-5431309	626	Proof of Concept
	Prototype Pollution SNYK-JS-TOUGHCOOKIE-5672873	626	Proof of Concept
	Prototype Pollution SNYK-JS-XML2JS-5414874	626	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-AXIOS-6124857	626	Proof of Concept
	Information Exposure SNYK-JS-FOLLOWREDIRECTS-6444610	626	Proof of Concept
	Improper Authentication SNYK-JS-JSONWEBTOKEN-3180022	626	No Known Exploit
	Improper Restriction of Security Token Assignment SNYK-JS-JSONWEBTOKEN-3180024	626	No Known Exploit
	Use of a Broken or Risky Cryptographic Algorithm SNYK-JS-JSONWEBTOKEN-3180026	626	No Known Exploit

Release notes

Package name: @azure/msal-node

• 1.18.4 - 2023-10-27
• 1.18.3 - 2023-09-05
• 1.18.2 - 2023-08-24
• 1.18.1 - 2023-08-07
• 1.18.0 - 2023-07-06
• 1.17.3 - 2023-06-07
• 1.17.2 - 2023-05-02
• 1.17.1 - 2023-04-18
• 1.17.0 - 2023-04-03
• 1.16.0 - 2023-03-07
• 1.15.0 - 2023-02-06
• 1.14.6 - 2023-01-10
• 1.14.5 - 2022-12-07
• 1.14.4 - 2022-11-22
• 1.14.3 - 2022-11-07
• 1.14.2 - 2022-10-10
• 1.14.1 - 2022-10-03
• 1.14.0 - 2022-09-12
• 1.13.0 - 2022-09-06
• 1.12.1 - 2022-08-01
• 1.12.0 - 2022-07-18
• 1.11.0 - 2022-07-05
• 1.10.0 - 2022-06-13
• 1.9.1 - 2022-06-06
• 1.9.0 - 2022-05-02
• 1.8.0 - 2022-04-04
• 1.7.0 - 2022-03-07
• 1.6.0 - 2022-02-08
• 1.5.0 - 2022-01-04
• 1.4.0 - 2021-12-07
• 1.3.3 - 2021-11-02
• 1.3.2 - 2021-10-05
• 1.3.1 - 2021-09-08
• 1.3.0 - 2021-07-22

from @azure/msal-node GitHub release notes

Package name: @hapi/wreck

• 17.2.0 - 2022-03-25
  

  17.2.0

• 17.1.0 - 2020-11-23
  

  version 17.1.0

from @hapi/wreck GitHub release notes

Package name: @hapi/hapi

• 20.3.0 - 2023-02-14
  

  20.3.0

• 20.2.2 - 2022-04-20
  

  20.2.2

• 20.2.1 - 2021-10-09

from @hapi/hapi GitHub release notes

Package name: @hapi/inert

• 6.0.5 - 2022-01-16
  No content.
• 6.0.4 - 2021-08-30
  No content.
• 6.0.3 - 2020-09-26
  No content.

from @hapi/inert GitHub release notes

Package name: govuk-frontend

• 3.15.0 - 2024-02-05
  

  This release includes the ability to update the crown logo. You must do this between 19 February and 1 March 2024.

  We’ll send reminders to our mailing list and cross-government Slack as soon as you can make this change.

  New features

  Update to the new GOV.UK logo (between 19 February and 1 March 2024)

  We’ve updated the GOV.UK logo to reflect the changing of the monarch. King Charles III uses the Tudor Crown, rather than the St Edward’s Crown chosen by Queen Elizabeth II.

  If your service uses GOV.UK branding, you must update your service to use the new crown.

  These changes were made in the following pull requests:

  • #4379: Implement the Tudor crown favicons (v3.x)
  • #4380: Implement the Tudor crown in the Header component (v3.x)
  • #4711: Adjust Tudor crown spacing (v3) - thanks to @ MartinJJones and @ monicacrusellasfanlo for contributing this change

  Include the new logo assets

  Multiple new image assets are included in this release. You will need to copy these to your service's image assets folder if they are not being used directly from the Frontend package. By default this folder is located at /assets/images.

  If you are using Nunjucks, the asset path may have been changed by the assetPath global variable or assetsPath parameter on the header component.

  Copy the following files from /dist/assets/images into your assets folder. Any images with the same name as an existing image can be safely overwritten.

  • favicon.ico
  • govuk-apple-touch-icon-152x152.png
  • govuk-apple-touch-icon-167x167.png
  • govuk-apple-touch-icon-180x180.png
  • govuk-apple-touch-icon.png
  • govuk-logotype-tudor-crown.png
  • govuk-mask-icon.svg
  • govuk-opengraph-image.png

  Update the logo in the header of your page

  If you are using the govukHeader Nunjucks macro in your service, add the useTudorCrown parameter to the macro instantiation.

  {{ govukHeader({
    ...
    useTudorCrown: true
  }) }}

  If you are not using the Nunjucks macro, locate the HTML for the existing crown and replace it with this updated HTML. Make sure the URL for the new PNG fallback image is correct.

  <!--[if gt IE 8]><!-->
  <svg
    aria-hidden="true"
    focusable="false"
    class="govuk-header__logotype-crown"
    xmlns="http://www.w3.org/2000/svg"
    viewBox="0 0 32 30"
    height="30"
    width="32"
  >
    <path
      fill="currentColor" fill-rule="evenodd"
      d="M22.6 10.4c-1 .4-2-.1-2.4-1-.4-.9.1-2 1-2.4.9-.4 2 .1 2.4 1s-.1 2-1 2.4m-5.9 6.7c-.9.4-2-.1-2.4-1-.4-.9.1-2 1-2.4.9-.4 2 .1 2.4 1s-.1 2-1 2.4m10.8-3.7c-1 .4-2-.1-2.4-1-.4-.9.1-2 1-2.4.9-.4 2 .1 2.4 1s0 2-1 2.4m3.3 4.8c-1 .4-2-.1-2.4-1-.4-.9.1-2 1-2.4.9-.4 2 .1 2.4 1s-.1 2-1 2.4M17 4.7l2.3 1.2V2.5l-2.3.7-.2-.2.9-3h-3.4l.9 3-.2.2c-.1.1-2.3-.7-2.3-.7v3.4L15 4.7c.1.1.1.2.2.2l-1.3 4c-.1.2-.1.4-.1.6 0 1.1.8 2 1.9 2.2h.7c1-.2 1.9-1.1 1.9-2.1 0-.2 0-.4-.1-.6l-1.3-4c-.1-.2 0-.2.1-.3m-7.6 5.7c.9.4 2-.1 2.4-1 .4-.9-.1-2-1-2.4-.9-.4-2 .1-2.4 1s0 2 1 2.4m-5 3c.9.4 2-.1 2.4-1 .4-.9-.1-2-1-2.4-.9-.4-2 .1-2.4 1s.1 2 1 2.4m-3.2 4.8c.9.4 2-.1 2.4-1 .4-.9-.1-2-1-2.4-.9-.4-2 .1-2.4 1s0 2 1 2.4m14.8 11c4.4 0 8.6.3 12.3.8 1.1-4.5 2.4-7 3.7-8.8l-2.5-.9c.2 1.3.3 1.9 0 2.7-.4-.4-.8-1.1-1.1-2.3l-1.2 4c.7-.5 1.3-.8 2-.9-1.1 2.5-2.6 3.1-3.5 3-1.1-.2-1.7-1.2-1.5-2.1.3-1.2 1.5-1.5 2.1-.1 1.1-2.3-.8-3-2-2.3 1.9-1.9 2.1-3.5.6-5.6-2.1 1.6-2.1 3.2-1.2 5.5-1.2-1.4-3.2-.6-2.5 1.6.9-1.4 2.1-.5 1.9.8-.2 1.1-1.7 2.1-3.5 1.9-2.7-.2-2.9-2.1-2.9-3.6.7-.1 1.9.5 2.9 1.9l.4-4.3c-1.1 1.1-2.1 1.4-3.2 1.4.4-1.2 2.1-3 2.1-3h-5.4s1.7 1.9 2.1 3c-1.1 0-2.1-.2-3.2-1.4l.4 4.3c1-1.4 2.2-2 2.9-1.9-.1 1.5-.2 3.4-2.9 3.6-1.9.2-3.4-.8-3.5-1.9-.2-1.3 1-2.2 1.9-.8.7-2.3-1.2-3-2.5-1.6.9-2.2.9-3.9-1.2-5.5-1.5 2-1.3 3.7.6 5.6-1.2-.7-3.1 0-2 2.3.6-1.4 1.8-1.1 2.1.1.2.9-.3 1.9-1.5 2.1-.9.2-2.4-.5-3.5-3 .6 0 1.2.3 2 .9l-1.2-4c-.3 1.1-.7 1.9-1.1 2.3-.3-.8-.2-1.4 0-2.7l-2.9.9C1.3 23 2.6 25.5 3.7 30c3.7-.5 7.9-.8 12.3-.8"></path>
  </svg>
  <!--<![endif]-->
  <!--[if IE 8]>
  <img src="/assets/images/govuk-logotype-tudor-crown.png" class="govuk-header__logotype-crown-fallback-image" width="32" height="30" alt="">
  <![endif]-->

• 3.14.0 - 2021-10-04

from govuk-frontend GitHub release notes

Package name: hapi-pino

• 8.5.0 - 2021-10-08
  

  What's Changed

  • Replace Travis workflow with GitHub action by @ lauraseidler in #140
  • Allow tags to point to a custom level defined in pino's customLevels by @ aalimovs in #125

  New Contributors

  • @ aalimovs made their first contribution in #125

  Full Changelog: v8.4.0...v8.5.0

• 8.4.0 - 2021-09-28
  

  What's Changed

  • Fix test case for simulating a closed connection by @ lauraseidler in #137
  • Respect messageKey option when mergeHapiLogData is set by @ lauraseidler in #138

  Full Changelog: v8.3.0...v8.4.0

• 8.3.0 - 2020-09-04
  

  📚 PR:

  • Added logQueryParams option to log the query params (#122)

from hapi-pino GitHub release notes

Package name: nunjucks

• 3.2.4 - 2023-04-13
  

  What's Changed

  • fix: html encode backslashes if used with escape filter or autoescape by @ fdintino in #1437. Fixes CVE-2023-2142
    (bugzilla #1825980)

  Full Changelog: v3.2.3...v3.2.4

• 3.2.3 - 2021-02-15
  
  • Add support for nested attributes on sort filter; respect throwOnUndefined if sort attribute is undefined.
  • Add base arg to int filter.
  • Move chokidar to peerDependencies and mark it optional in peerDependenciesMeta.
  • Fix prototype pollution issue for template variables. Merge of #1330; fixes #1331. Thanks ChenKS12138!

from nunjucks GitHub release notes

---

Important

• Check the changes in this PR to ensure they won't cause issues with your project.
• This PR was automatically created by Snyk using the credentials of a real user.
• Max score is 1000. Note that the real score may have changed since the PR was raised.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

• 🧐 View latest project report
• 📜 Customise PR templates
• 🛠 Adjust upgrade PR settings
• 🔕 Ignore this dependency or unsubscribe from future upgrade PRs