NHSDigital
diff --git a/‎.github/workflows/build_multi_arch_image.yml‎
Lines changed: 14 additions & 14 deletions b/‎.github/workflows/build_multi_arch_image.yml‎
Lines changed: 14 additions & 14 deletions
diff --git a/‎.github/workflows/ci.yml‎
Lines changed: 2 additions & 2 deletions b/‎.github/workflows/ci.yml‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎.github/workflows/pull_request.yml‎
Lines changed: 3 additions & 3 deletions b/‎.github/workflows/pull_request.yml‎
Lines changed: 3 additions & 3 deletions
diff --git a/‎.github/workflows/release.yml‎
Lines changed: 2 additions & 2 deletions b/‎.github/workflows/release.yml‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎.tool-versions‎
Lines changed: 1 addition & 1 deletion b/‎.tool-versions‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎src/base/.devcontainer/.tool-versions‎
Lines changed: 3 additions & 3 deletions b/‎src/base/.devcontainer/.tool-versions‎
Lines changed: 3 additions & 3 deletions
diff --git a/‎src/base_node/node_24/.devcontainer/.tool-versions‎
Lines changed: 1 addition & 1 deletion b/‎src/base_node/node_24/.devcontainer/.tool-versions‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎src/common/.trivyignore.yaml‎
Lines changed: 64 additions & 0 deletions b/‎src/common/.trivyignore.yaml‎
Lines changed: 64 additions & 0 deletions
diff --git a/‎src/common_node_24/.trivyignore.yaml‎
Lines changed: 40 additions & 0 deletions b/‎src/common_node_24/.trivyignore.yaml‎
Lines changed: 40 additions & 0 deletions
diff --git a/‎src/languages/node_24_python_3_12/.devcontainer/.tool-versions‎
Lines changed: 1 addition & 1 deletion b/‎src/languages/node_24_python_3_12/.devcontainer/.tool-versions‎
Lines changed: 1 addition & 1 deletion
@@ -41,7 +41,7 @@ jobs:
             runner: ubuntu-22.04-arm
     steps:
       - name: Free Disk Space for Docker
-        uses: endersonmenezes/free-disk-space@e6ed9b02e683a3b55ed0252f1ee469ce3b39a885
+        uses: endersonmenezes/free-disk-space@7901478139cff6e9d44df5972fd8ab8fcade4db1
         with:
           remove_android: true
           remove_dotnet: true
@@ -54,7 +54,7 @@ jobs:
             dotnet-sdk-*
           remove_packages_one_command: true
       - name: Login to github container registry
-        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9
+        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2
         with:
               registry: ghcr.io
               username: ${{github.actor}}
@@ -66,9 +66,9 @@ jobs:
       - name: setup trivy
         uses: aquasecurity/setup-trivy@3fb12ec12f41e471780db15c232d5dd185dcb514
         with:
-          version: v0.69.1
+          version: v0.69.3
       - name: setup node
-        uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238
+        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f
         with:
           node-version-file: .tool-versions
 
@@ -98,7 +98,7 @@ jobs:
           IMAGE_TAG: "${{ inputs.docker_tag }}-${{ matrix.arch }}"
           EXIT_CODE: 0
           EXTRA_COMMON: "${{ inputs.extra_common }}"
-      - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f
+      - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f
         name: Upload scan results
         with:
           name: "scan_results_docker_${{ inputs.container_name }}_${{ matrix.arch }}.json"
@@ -149,7 +149,7 @@ jobs:
           CONTAINER_NAME: '${{ inputs.container_name }}'
           ARCHITECTURE: '${{ matrix.arch }}'
       - name: Attest image
-        uses: actions/attest-build-provenance@96278af6caaf10aea03fd8d33a09a777ca52d62f
+        uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32
         with:
           subject-name: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.container_name }}
           subject-digest: ${{ steps.resolve_arch_digest.outputs.digest }}
@@ -173,7 +173,7 @@ jobs:
           CONTAINER_NAME: '${{ inputs.container_name }}'
           ARCHITECTURE: '${{ matrix.arch }}'
       - name: Attest github actions image
-        uses: actions/attest-build-provenance@96278af6caaf10aea03fd8d33a09a777ca52d62f
+        uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32
         with:
           subject-name: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.container_name }}
           subject-digest: ${{ steps.resolve_githubactions_arch_digest.outputs.digest }}
@@ -214,7 +214,7 @@ jobs:
           ARCHITECTURE: '${{ matrix.arch }}'
       - name: Attest github actions latest image
         if: ${{ inputs.tag_latest }}
-        uses: actions/attest-build-provenance@96278af6caaf10aea03fd8d33a09a777ca52d62f
+        uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32
         with:
           subject-name: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.container_name }}
           subject-digest: ${{ steps.resolve_githubactions_latest_arch_digest.outputs.digest }}
@@ -239,7 +239,7 @@ jobs:
           ARCHITECTURE: '${{ matrix.arch }}'
       - name: Attest latest image
         if: ${{ inputs.tag_latest }}
-        uses: actions/attest-build-provenance@96278af6caaf10aea03fd8d33a09a777ca52d62f
+        uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32
         with:
           subject-name: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.container_name }}
           subject-digest: ${{ steps.resolve_latest_arch_digest.outputs.digest }}
@@ -263,7 +263,7 @@ jobs:
       id-token: write
     steps:
       - name: Login to github container registry
-        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9
+        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2
         with:
               registry: ghcr.io
               username: ${{github.actor}}
@@ -334,7 +334,7 @@ jobs:
           CONTAINER_NAME: '${{ inputs.container_name }}'
 
       - name: Attest combined image
-        uses: actions/attest-build-provenance@96278af6caaf10aea03fd8d33a09a777ca52d62f
+        uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32
         with:
           subject-name: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.container_name }}
           subject-digest: ${{ steps.resolve_combined_digest.outputs.digest }}
@@ -358,7 +358,7 @@ jobs:
           CONTAINER_NAME: '${{ inputs.container_name }}'
 
       - name: Attest combined github actions image
-        uses: actions/attest-build-provenance@96278af6caaf10aea03fd8d33a09a777ca52d62f
+        uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32
         with:
           subject-name: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.container_name }}
           subject-digest: ${{ steps.resolve_githubactions_combined_digest.outputs.digest }}
@@ -383,7 +383,7 @@ jobs:
 
       - name: Attest latest github actions image
         if: ${{ inputs.tag_latest }}
-        uses: actions/attest-build-provenance@96278af6caaf10aea03fd8d33a09a777ca52d62f
+        uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32
         with:
           subject-name: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.container_name }}
           subject-digest: ${{ steps.resolve_githubactions_latest_digest.outputs.digest }}
@@ -408,7 +408,7 @@ jobs:
 
       - name: Attest latest image
         if: ${{ inputs.tag_latest }}
-        uses: actions/attest-build-provenance@96278af6caaf10aea03fd8d33a09a777ca52d62f
+        uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32
         with:
           subject-name: ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.container_name }}
           subject-digest: ${{ steps.resolve_latest_digest.outputs.digest }}
 
@@ -23,7 +23,7 @@ jobs:
           TAG_FORMAT=$(yq '.TAG_FORMAT' .github/config/settings.yml)
           echo "TAG_FORMAT=$TAG_FORMAT" >> "$GITHUB_OUTPUT"
   quality_checks:
-    uses: NHSDigital/eps-common-workflows/.github/workflows/quality-checks.yml@8404cf6e3a61ac8de4d1644e175e288aa4965815
+    uses: NHSDigital/eps-common-workflows/.github/workflows/quality-checks.yml@dac60c1e29babc62013e7bb9ade002cb381c4c49
     needs:
       - get_asdf_version
     with:
@@ -32,7 +32,7 @@ jobs:
       SONAR_TOKEN: '${{ secrets.SONAR_TOKEN }}'
   tag_release:
     needs: [quality_checks, get_asdf_version]
-    uses: NHSDigital/eps-common-workflows/.github/workflows/tag-release.yml@8404cf6e3a61ac8de4d1644e175e288aa4965815
+    uses: NHSDigital/eps-common-workflows/.github/workflows/tag-release.yml@dac60c1e29babc62013e7bb9ade002cb381c4c49
     with:
       dry_run: true
       asdfVersion: ${{ needs.get_asdf_version.outputs.asdf_version }}
 
@@ -9,7 +9,7 @@ jobs:
   dependabot-auto-approve-and-merge:
     needs: quality_checks
     uses: >-
-      NHSDigital/eps-common-workflows/.github/workflows/dependabot-auto-approve-and-merge.yml@8404cf6e3a61ac8de4d1644e175e288aa4965815
+      NHSDigital/eps-common-workflows/.github/workflows/dependabot-auto-approve-and-merge.yml@dac60c1e29babc62013e7bb9ade002cb381c4c49
     secrets:
       AUTOMERGE_APP_ID: '${{ secrets.AUTOMERGE_APP_ID }}'
       AUTOMERGE_PEM: '${{ secrets.AUTOMERGE_PEM }}'
@@ -32,7 +32,7 @@ jobs:
           TAG_FORMAT=$(yq '.TAG_FORMAT' .github/config/settings.yml)
           echo "TAG_FORMAT=$TAG_FORMAT" >> "$GITHUB_OUTPUT"
   quality_checks:
-    uses: NHSDigital/eps-common-workflows/.github/workflows/quality-checks.yml@8404cf6e3a61ac8de4d1644e175e288aa4965815
+    uses: NHSDigital/eps-common-workflows/.github/workflows/quality-checks.yml@dac60c1e29babc62013e7bb9ade002cb381c4c49
     needs:
       - get_asdf_version
     with:
@@ -41,7 +41,7 @@ jobs:
       SONAR_TOKEN: '${{ secrets.SONAR_TOKEN }}'
   pr_title_format_check:
     uses: >-
-      NHSDigital/eps-common-workflows/.github/workflows/pr_title_check.yml@8404cf6e3a61ac8de4d1644e175e288aa4965815
+      NHSDigital/eps-common-workflows/.github/workflows/pr_title_check.yml@dac60c1e29babc62013e7bb9ade002cb381c4c49
   get_issue_number:
     runs-on: ubuntu-22.04
     needs: quality_checks
 
@@ -24,7 +24,7 @@ jobs:
           TAG_FORMAT=$(yq '.TAG_FORMAT' .github/config/settings.yml)
           echo "TAG_FORMAT=$TAG_FORMAT" >> "$GITHUB_OUTPUT"
   quality_checks:
-    uses: NHSDigital/eps-common-workflows/.github/workflows/quality-checks.yml@8404cf6e3a61ac8de4d1644e175e288aa4965815
+    uses: NHSDigital/eps-common-workflows/.github/workflows/quality-checks.yml@dac60c1e29babc62013e7bb9ade002cb381c4c49
     needs:
       - get_asdf_version
     with:
@@ -33,7 +33,7 @@ jobs:
       SONAR_TOKEN: '${{ secrets.SONAR_TOKEN }}'
   tag_release:
     needs: [quality_checks, get_asdf_version]
-    uses: NHSDigital/eps-common-workflows/.github/workflows/tag-release.yml@8404cf6e3a61ac8de4d1644e175e288aa4965815
+    uses: NHSDigital/eps-common-workflows/.github/workflows/tag-release.yml@dac60c1e29babc62013e7bb9ade002cb381c4c49
     with:
       dry_run: false
       asdfVersion: ${{ needs.get_asdf_version.outputs.asdf_version }}
 
@@ -5,5 +5,5 @@ shellcheck 0.11.0
 direnv 2.37.1
 actionlint 1.7.10
 ruby 3.3.0
-trivy 0.69.1
+trivy 0.69.3
 yq 4.52.2
@@ -1,6 +1,6 @@
 shellcheck 0.11.0
 direnv 2.37.1
-actionlint 1.7.10
+actionlint 1.7.11
 ruby 3.3.0
-trivy 0.69.1
-yq 4.52.2
+trivy 0.69.3
+yq 4.52.4
@@ -1 +1 @@
-nodejs 24.13.0
+nodejs 24.14.0
@@ -323,3 +323,67 @@ vulnerabilities:
     purls:
       - "pkg:golang/stdlib@v1.25.6"
     expired_at: 2026-08-13
+  - id: CVE-2025-15558
+    statement: "docker/cli: Docker CLI for Windows: Privilege escalation via malicious plugin binaries"
+    purls:
+      - "pkg:golang/github.com/docker/cli@v28.5.1%2Bincompatible"
+      - "pkg:golang/github.com/docker/cli@v29.0.3%2Bincompatible"
+      - "pkg:golang/github.com/docker/cli@v29.1.1%2Bincompatible"
+    expired_at: 2026-09-09
+  - id: CVE-2026-24051
+    statement: "OpenTelemetry Go SDK Vulnerable to Arbitrary Code Execution via PATH Hijacking"
+    purls:
+      - "pkg:golang/go.opentelemetry.io/otel/sdk@v1.36.0"
+    expired_at: 2026-09-09
+  - id: CVE-2024-35870
+    statement: "kernel: smb: client: fix UAF in smb2_reconnect_server()"
+    purls:
+      - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-170.180?arch=amd64&distro=ubuntu-22.04"
+    expired_at: 2026-09-09
+  - id: CVE-2024-53179
+    statement: "kernel: smb: client: fix use-after-free of signing key"
+    purls:
+      - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-170.180?arch=amd64&distro=ubuntu-22.04"
+    expired_at: 2026-09-09
+  - id: CVE-2025-21780
+    statement: "kernel: drm/amdgpu: avoid buffer overflow attach in smu_sys_set_pp_table()"
+    purls:
+      - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-170.180?arch=amd64&distro=ubuntu-22.04"
+    expired_at: 2026-09-09
+  - id: CVE-2025-37899
+    statement: "kernel: ksmbd: fix use-after-free in session logoff"
+    purls:
+      - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-170.180?arch=amd64&distro=ubuntu-22.04"
+    expired_at: 2026-09-09
+  - id: CVE-2025-38118
+    statement: "kernel: Linux kernel: Bluetooth MGMT use-after-free vulnerability allows privilege escalation"
+    purls:
+      - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-170.180?arch=amd64&distro=ubuntu-22.04"
+    expired_at: 2026-09-09
+  - id: CVE-2026-25679
+    statement: "url.Parse insufficiently validated the host/authority component and ac ..."
+    purls:
+      - "pkg:golang/stdlib@v1.16.15"
+      - "pkg:golang/stdlib@v1.23.4"
+      - "pkg:golang/stdlib@v1.24.4"
+      - "pkg:golang/stdlib@v1.24.9"
+      - "pkg:golang/stdlib@v1.25.5"
+      - "pkg:golang/stdlib@v1.25.7"
+      - "pkg:golang/stdlib@v1.26.0"
+    expired_at: 2026-09-11
+  - id: CVE-2026-27142
+    statement: "Actions which insert URLs into the content attribute of HTML meta tags ..."
+    purls:
+      - "pkg:golang/stdlib@v1.16.15"
+      - "pkg:golang/stdlib@v1.23.4"
+      - "pkg:golang/stdlib@v1.24.4"
+      - "pkg:golang/stdlib@v1.24.9"
+      - "pkg:golang/stdlib@v1.25.5"
+      - "pkg:golang/stdlib@v1.25.7"
+      - "pkg:golang/stdlib@v1.26.0"
+    expired_at: 2026-09-11
+  - id: CVE-2026-27137
+    statement: "When verifying a certificate chain which contains a certificate contai ..."
+    purls:
+      - "pkg:golang/stdlib@v1.26.0"
+    expired_at: 2026-09-11
@@ -53,3 +53,43 @@ vulnerabilities:
       - "pkg:npm/minimatch@10.0.3"
       - "pkg:npm/minimatch@9.0.5"
     expired_at: 2026-08-27
+  - id: CVE-2026-29786
+    statement: "node-tar is a full-featured Tar for Node.js. Prior to version 7.5.10,  ..."
+    purls:
+      - "pkg:npm/tar@7.5.1"
+    expired_at: 2026-09-09
+  - id: CVE-2026-31802
+    statement: "node-tar is a full-featured Tar for Node.js. Prior to version 7.5.10,  ..."
+    purls:
+      - "pkg:npm/tar@7.5.1"
+    expired_at: 2026-09-09
+  - id: CVE-2026-26996
+    statement: "minimatch: minimatch: Denial of Service via specially crafted glob patterns"
+    purls:
+      - "pkg:npm/minimatch@10.1.2"
+    expired_at: 2026-09-11
+  - id: CVE-2026-27903
+    statement: "minimatch: minimatch: Denial of Service due to unbounded recursive backtracking via crafted glob patterns"
+    purls:
+      - "pkg:npm/minimatch@10.1.2"
+    expired_at: 2026-09-11
+  - id: CVE-2026-27904
+    statement: "minimatch: Minimatch: Denial of Service via catastrophic backtracking in glob expressions"
+    purls:
+      - "pkg:npm/minimatch@10.1.2"
+    expired_at: 2026-09-11
+  - id: CVE-2026-26960
+    statement: "tar: node-tar: node-tar: Arbitrary file read/write via malicious archive hardlink creation"
+    purls:
+      - "pkg:npm/tar@7.5.7"
+    expired_at: 2026-09-11
+  - id: CVE-2026-29786
+    statement: "node-tar: hardlink path traversal via drive-relative linkpath"
+    purls:
+      - "pkg:npm/tar@7.5.7"
+    expired_at: 2026-09-11
+  - id: CVE-2026-31802
+    statement: "node-tar Symlink Path Traversal via Drive-Relative Linkpath"
+    purls:
+      - "pkg:npm/tar@7.5.7"
+    expired_at: 2026-09-11
@@ -1,2 +1,2 @@
-python 3.12.12
+python 3.12.13
 poetry 2.3.2
Original file line number	Diff line number	Diff line change
`@@ -1,2 +1,2 @@`
`1`		`-python 3.12.12`
	`1`	`+python 3.12.13`
`2`	`2`	`poetry 2.3.2`