We take security and the protection of private data extremely seriously. If you believe you have found a vulnerability or other issue which has compromised or could compromise the security of any of our systems or private data managed by our systems, please do not hesitate to contact us using the method outlined below.

• Security
  • Table of Contents
  • Reporting a vulnerability
  • General Security Enquiries
  • Dependency overrides (npm)
    • Current overrides
    • Review policy

If you believe you have found a security issue in this repository, please report it using GitHub's private vulnerability reporting:

1. Report a vulnerability
2. Provide details of the issue and steps to reproduce

This creates a private channel for discussion and allows us to coordinate a fix before any public disclosure.

If you have general enquiries regarding our cybersecurity, please reach out to us at cybersecurity@nhs.net

This project uses npm overrides to temporarily address security vulnerabilities reported in development-only dependencies introduced by @wordpress/scripts.

These dependencies are used only during local development (build, linting, and testing). They are not bundled or shipped with the WordPress plugin.

• minimatch → ^10.2.3
  Reason: Addresses a ReDoS vulnerability in glob matching used by ESLint and webpack-related tooling.

• webpack-dev-server → ^5.2.1
  Reason: Patches known dev-server vulnerabilities (e.g. CVE-2025-30359 / CVE-2025-30360). Development-only.

• serialize-javascript → ^7.0.5
  Reason: Addresses high-severity vulnerabilities reported in transitive usage via copy-webpack-plugin. Development-only.

Overrides are reviewed during routine dependency updates and removed once upstream tooling (e.g. @wordpress/scripts) adopts patched versions natively.