SSCSCI-2338: Resolve CVE-2024-21538

[KatKovacs1]

Jira link

See SSCSCI-2338

Change description

Steps to resolve CVE-2024-21538

1. Migrated from pre-commit to husky
2. Migrated uk-bank-holidays into util
3. Patched cross-spawn

Pre-commit migration

Pre-commit is a pre-commit hook installer for git. The repo is not archived or deprecated but the last npm release was 9 years ago. Not expecting any updates here, so migrated to Husky.

Also added lint-staged to run code-formatting and linting only on staged files during commit.

Moving away from uk-bank-holidays module

Uk-bank-holidays is a module that checks whether a date is a UK bank holiday or not. This is marked as public archived and was last updated 8 years ago. I didn't find any other HMCTS repos referencing this module. Created a new utility based on the removed module

Bump cross-spawn

Cross-spawn is a transitive dependency via cross-env, eslint, mocha, nyc, rewire and webpack-cli. All packages use v7, but cross-env, nyc and webpack-cli use version 7.0.3, which is affected by CVE-2024-21538. Added cross-spawn to resolutions to update to the latest 7.0.6 version.

---

Testing done

Changes tested in preview and nightly-dev pipelines, and manual happy-path test (Ref: 1770053401954206).

---

Security Vulnerability Assessment

CVE Suppression: Are there any CVEs present in the codebase (either newly introduced or pre-existing) that are being intentionally suppressed or ignored by this commit?

• Yes
• No

Package	Severity	Versions	Dependents	Issue
loader-utils	critical	0.2.17	nunjucks-loader@virtual:3***2#npm:3.0.0	[18]
glob	high	10.4.5, 8.1.0	mocha@npm:11.7.5, cacache@npm:16.1.3	[8], [9]
hoek	high	5.0.4, 6.1.3	joi@npm:13.7.0, topo@npm:3.0.3	[11]
ip	high	2.0.0	socks@npm:2.7.1	[13], [14]
json5	high	0.5.1	loader-utils@npm:0.2.17	[16]
@npmcli/move-file	moderate	2.0.1	cacache@npm:16.1.3	[1]
acorn-import-assertions	moderate	1.9.0	import-in-the-middle@npm:1.4.2	[2]
are-we-there-yet	moderate	3.0.1	npmlog@npm:6.0.2	[3]
csurf	moderate	1.11.0	sya@workspace:.	[5]
gauge	moderate	4.0.4	npmlog@npm:6.0.2	[7]
govuk_template_jinja	moderate	0.26.0	sya@workspace:.	[10]
inflight	moderate	1.0.6	glob@npm:7.1.7	[12]
joi	moderate	13.7.0	@hmcts/one-per-page@npm:5.4.0	[15]
keygrip	moderate	1.1.0	cookies@npm:0.9.1	[17]
mem	moderate	10.0.0	@hmcts/div-idam-express-middleware@npm:7.0.1	[19]
node-domexception	moderate	1.0.0	fetch-blob@npm:3.2.0	[20]
npmlog	moderate	6.0.2	node-gyp@npm:9.3.1	[21]
nunjucks	moderate	3.2.3	@hmcts/one-per-page@npm:5.4.0	[22]
rimraf	moderate	3.0.2	node-gyp@npm:9.3.1	[23]
stable	moderate	0.1.8	svgo@npm:2.7.0	[24]
topo	moderate	3.0.3	joi@npm:13.7.0	[25]
brace-expansion	low	2.0.1	minimatch@npm:9.0.5	[4]
diff	low	7.0.0	@hmcts/div-idam-express-middleware@npm:7.0.1	[6]

---

📝 Issue Notes

• [1] @npmcli/move-file — This functionality has been moved to @npmcli/fs
• [2] acorn-import-assertions — package has been renamed to acorn-import-attributes
• [3] are-we-there-yet — This package is no longer supported.
• [4] brace-expansion — brace-expansion Regular Expression Denial of Service vulnerability (GHSA-v6h2-p8h4-qcjw)
• [5] csurf — This package is archived and no longer maintained. For support, visit https://github.com/expressjs/express/discussions
• [6] diff — jsdiff has a Denial of Service vulnerability in parsePatch and applyPatch (GHSA-73rr-hh4g-fpgx)
• [7] gauge — This package is no longer supported.
• [8] glob — glob CLI: Command injection via -c/--cmd executes matches with shell:true (GHSA-5j98-mcp5-4vw2)
• [9] glob — Glob versions prior to v9 are no longer supported
• [10] govuk_template_jinja — GOV.UK Template is no longer maintained. Use the GOV.UK Design System instead: https://frontend.design-system.service.gov.uk/v4/migrating-from-legacy-products/
• [11] hoek — hoek subject to prototype pollution via the clone function. (GHSA-c429-5p7v-vgjp)
• [12] inflight — This module is not supported, and leaks memory. Do not use it. Check out lru-cache if you want a good and tested way to coalesce async requests by a key value, which is much more comprehensive and powerful.
• [13] ip — NPM IP package incorrectly identifies some private IP addresses as public (GHSA-78xj-cgh5-2h22)
• [14] ip — ip SSRF improper categorization in isPublic (GHSA-2p57-rm9w-gvfp)
• [15] joi — This version has been deprecated in accordance with the hapi support policy (hapi.im/support). Please upgrade to the latest version to get the best features, bug fixes, and security patches. If you are unable to upgrade at this time, paid support is available for older versions (hapi.im/commercial).
• [16] json5 — Prototype Pollution in JSON5 via Parse Method (GHSA-9c47-m6qq-7p4h)
• [17] keygrip — Package no longer supported. Contact Support at https://www.npmjs.com/support for more info.
• [18] loader-utils — Prototype pollution in webpack loader-utils (GHSA-76p3-8jx3-jpfq)
• [19] mem — Renamed to memoize: https://www.npmjs.com/package/memoize
• [20] node-domexception — Use your platform's native DOMException instead
• [21] npmlog — This package is no longer supported.
• [22] nunjucks — Nunjucks autoescape bypass leads to cross site scripting (GHSA-x77j-w7wf-fjmw)
• [23] rimraf — Rimraf versions prior to v4 are no longer supported
• [24] stable — Modern JS already guarantees Array#sort() is a stable sort, so this library is deprecated. See the compatibility table on MDN: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Array/sort#browser_compatibility
• [25] topo — This module has moved and is now available at @hapi/topo. Please update your dependencies as this version is no longer maintained an may contain bugs and security issues.

---

Checklist

• commit messages are meaningful and follow good commit message guidelines
• README and other documentation has been updated / added (if needed)
• tests have been updated / new tests has been added (if needed)
• Does this PR introduce a breaking change