From 70d5f02e9e083a86007c270d38639ed8b4114ba5 Mon Sep 17 00:00:00 2001 From: Francisco Videira Date: Tue, 10 Mar 2026 11:11:11 +0000 Subject: [PATCH 1/6] Init --- lambdas/api-handler/src/handlers/amendment-event-transformer.ts | 2 ++ 1 file changed, 2 insertions(+) diff --git a/lambdas/api-handler/src/handlers/amendment-event-transformer.ts b/lambdas/api-handler/src/handlers/amendment-event-transformer.ts index d881ce5e..1cc7ba81 100644 --- a/lambdas/api-handler/src/handlers/amendment-event-transformer.ts +++ b/lambdas/api-handler/src/handlers/amendment-event-transformer.ts @@ -29,6 +29,8 @@ export default function createTransformAmendmentEventHandler( letter.reasonCode = updateLetterCommand.reasonCode; letter.reasonText = updateLetterCommand.reasonText; + // validate given the letter status change event schema allows "uuid" style only? + const letterEvent = mapLetterToCloudEvent( letter, deps.env.EVENT_SOURCE, From 360e83a863e2d95c916479ca981879551e76ea8f Mon Sep 17 00:00:00 2001 From: Francisco Videira Date: Tue, 10 Mar 2026 12:45:10 +0000 Subject: [PATCH 2/6] Event envelope allows wider subject resource id --- .../events/__tests__/event-envelope.test.ts | 22 +++++++++++++++++++ internal/events/src/events/event-envelope.ts | 5 +++-- 2 files changed, 25 insertions(+), 2 deletions(-) diff --git a/internal/events/src/events/__tests__/event-envelope.test.ts b/internal/events/src/events/__tests__/event-envelope.test.ts index 4842ef4f..cad95ea1 100644 --- a/internal/events/src/events/__tests__/event-envelope.test.ts +++ b/internal/events/src/events/__tests__/event-envelope.test.ts @@ -364,5 +364,27 @@ describe("EventEnvelope schema validation", () => { const result = $EnvelopeNoPrefix.safeParse(envelope); expect(result.success).toBe(false); }); + + it("should accept subject with non uuid resource id", () => { + const envelope = { + ...baseLetterEnvelope, + subject: "letter-origin/letter-rendering/letter/Some_Letter_12345", + }; + + const result = $EnvelopeWithPrefix.safeParse(envelope); + expect(result.error).toBeUndefined(); + expect(result.success).toBe(true); + }); + + it("should accept subject with multi sub path resource id", () => { + const envelope = { + ...baseLetterEnvelope, + subject: "letter-origin/letter-rendering/letter/a/B/c/123", + }; + + const result = $EnvelopeWithPrefix.safeParse(envelope); + expect(result.error).toBeUndefined(); + expect(result.success).toBe(true); + }); }); }); diff --git a/internal/events/src/events/event-envelope.ts b/internal/events/src/events/event-envelope.ts index ba9d4144..f3602bf4 100644 --- a/internal/events/src/events/event-envelope.ts +++ b/internal/events/src/events/event-envelope.ts @@ -90,8 +90,9 @@ export function EventEnvelope( subject: z .string() - - .regex(new RegExp(`^${subjectPrefixRegex}${resourceName}/[a-z0-9-]+$`)) + .regex( + new RegExp(`^${subjectPrefixRegex}${resourceName}/[^/]+(?:/.*)?$`), + ) .meta({ title: "Event Subject", description: From d7ef2488c9bad4c2463b547997842b2f4af369c6 Mon Sep 17 00:00:00 2001 From: Francisco Videira Date: Tue, 10 Mar 2026 16:40:42 +0000 Subject: [PATCH 3/6] Bump bersion and clean up --- internal/events/package.json | 2 +- lambdas/api-handler/src/handlers/amendment-event-transformer.ts | 2 -- 2 files changed, 1 insertion(+), 3 deletions(-) diff --git a/internal/events/package.json b/internal/events/package.json index d8b6626c..cf2e4f0e 100644 --- a/internal/events/package.json +++ b/internal/events/package.json @@ -37,5 +37,5 @@ "typecheck": "tsc --noEmit" }, "types": "dist/index.d.ts", - "version": "1.0.13" + "version": "1.0.14" } diff --git a/lambdas/api-handler/src/handlers/amendment-event-transformer.ts b/lambdas/api-handler/src/handlers/amendment-event-transformer.ts index 1cc7ba81..d881ce5e 100644 --- a/lambdas/api-handler/src/handlers/amendment-event-transformer.ts +++ b/lambdas/api-handler/src/handlers/amendment-event-transformer.ts @@ -29,8 +29,6 @@ export default function createTransformAmendmentEventHandler( letter.reasonCode = updateLetterCommand.reasonCode; letter.reasonText = updateLetterCommand.reasonText; - // validate given the letter status change event schema allows "uuid" style only? - const letterEvent = mapLetterToCloudEvent( letter, deps.env.EVENT_SOURCE, From 0719b5d2b3c532d708413db61f7c137c33ef9703 Mon Sep 17 00:00:00 2001 From: Francisco Videira Date: Wed, 11 Mar 2026 12:21:40 +0000 Subject: [PATCH 4/6] Ignore regex false positives --- internal/events/src/events/event-envelope.ts | 2 ++ 1 file changed, 2 insertions(+) diff --git a/internal/events/src/events/event-envelope.ts b/internal/events/src/events/event-envelope.ts index f3602bf4..9541d6da 100644 --- a/internal/events/src/events/event-envelope.ts +++ b/internal/events/src/events/event-envelope.ts @@ -81,6 +81,7 @@ export function EventEnvelope( source: z .string() + // eslint-disable-next-line security/detect-unsafe-regex .regex(/^\/data-plane\/supplier-api(?:\/.*)?$/) .meta({ title: "Event Source", @@ -91,6 +92,7 @@ export function EventEnvelope( subject: z .string() .regex( + // eslint-disable-next-line security/detect-non-literal-regexp new RegExp(`^${subjectPrefixRegex}${resourceName}/[^/]+(?:/.*)?$`), ) .meta({ From 4e8263dd7b0937fdd5c94dd39dd64769934800f3 Mon Sep 17 00:00:00 2001 From: Steve Buxton Date: Tue, 17 Mar 2026 13:36:58 +0000 Subject: [PATCH 5/6] Fix trivy vulnerabilities --- package-lock.json | 12 ++++++------ package.json | 2 ++ tests/e2e-tests/poetry.lock | 10 +++++----- 3 files changed, 13 insertions(+), 11 deletions(-) diff --git a/package-lock.json b/package-lock.json index 44b6fe22..1023cbeb 100644 --- a/package-lock.json +++ b/package-lock.json @@ -13543,9 +13543,9 @@ } }, "node_modules/flatted": { - "version": "3.3.4", - "resolved": "https://registry.npmjs.org/flatted/-/flatted-3.3.4.tgz", - "integrity": "sha512-3+mMldrTAPdta5kjX2G2J7iX4zxtnwpdA8Tr2ZSjkyPSanvbZAcy6flmtnXbEybHrDcU9641lxrMfFuUxVz9vA==", + "version": "3.4.1", + "resolved": "https://registry.npmjs.org/flatted/-/flatted-3.4.1.tgz", + "integrity": "sha512-IxfVbRFVlV8V/yRaGzk0UVIcsKKHMSfYw66T/u4nTwlWteQePsxe//LjudR1AMX4tZW3WFCh3Zqa/sjlqpbURQ==", "dev": true, "license": "ISC" }, @@ -21883,9 +21883,9 @@ "license": "MIT" }, "node_modules/undici": { - "version": "7.22.0", - "resolved": "https://registry.npmjs.org/undici/-/undici-7.22.0.tgz", - "integrity": "sha512-RqslV2Us5BrllB+JeiZnK4peryVTndy9Dnqq62S3yYRRTj0tFQCwEniUy2167skdGOy3vqRzEvl1Dm4sV2ReDg==", + "version": "7.24.4", + "resolved": "https://registry.npmjs.org/undici/-/undici-7.24.4.tgz", + "integrity": "sha512-BM/JzwwaRXxrLdElV2Uo6cTLEjhSb3WXboncJamZ15NgUURmvlXvxa6xkwIOILIjPNo9i8ku136ZvWV0Uly8+w==", "dev": true, "license": "MIT", "engines": { diff --git a/package.json b/package.json index 7bf1c6b4..8ec3fd89 100644 --- a/package.json +++ b/package.json @@ -66,6 +66,8 @@ "axios": "^1.13.5", "fast-xml-parser": "^5.3.6", "@isaacs/brace-expansion": "^5.0.1", + "flatted": "^3.4.0", + "undici": "^7.24.0", "pretty-format": { "react-is": "19.0.0" }, diff --git a/tests/e2e-tests/poetry.lock b/tests/e2e-tests/poetry.lock index a1f09a32..498e37c3 100644 --- a/tests/e2e-tests/poetry.lock +++ b/tests/e2e-tests/poetry.lock @@ -863,21 +863,21 @@ windows-terminal = ["colorama (>=0.4.6)"] [[package]] name = "pyjwt" -version = "2.10.1" +version = "2.12.1" description = "JSON Web Token implementation in Python" optional = false python-versions = ">=3.9" groups = ["main"] files = [ - {file = "PyJWT-2.10.1-py3-none-any.whl", hash = "sha256:dcdd193e30abefd5debf142f9adfcdd2b58004e644f25406ffaebd50bd98dacb"}, - {file = "pyjwt-2.10.1.tar.gz", hash = "sha256:3cc5772eb20009233caf06e9d8a0577824723b44e6648ee0a2aedb6cf9381953"}, + {file = "pyjwt-2.12.1-py3-none-any.whl", hash = "sha256:28ca37c070cad8ba8cd9790cd940535d40274d22f80ab87f3ac6a713e6e8454c"}, + {file = "pyjwt-2.12.1.tar.gz", hash = "sha256:c74a7a2adf861c04d002db713dd85f84beb242228e671280bf709d765b03672b"}, ] [package.extras] crypto = ["cryptography (>=3.4.0)"] -dev = ["coverage[toml] (==5.0.4)", "cryptography (>=3.4.0)", "pre-commit", "pytest (>=6.0.0,<7.0.0)", "sphinx", "sphinx-rtd-theme", "zope.interface"] +dev = ["coverage[toml] (==7.10.7)", "cryptography (>=3.4.0)", "pre-commit", "pytest (>=8.4.2,<9.0.0)", "sphinx", "sphinx-rtd-theme", "zope.interface"] docs = ["sphinx", "sphinx-rtd-theme", "zope.interface"] -tests = ["coverage[toml] (==5.0.4)", "pytest (>=6.0.0,<7.0.0)"] +tests = ["coverage[toml] (==7.10.7)", "pytest (>=8.4.2,<9.0.0)"] [[package]] name = "pyotp" From 0cbfaab48199dfcdea169f5ada9290ae3008f775 Mon Sep 17 00:00:00 2001 From: Francisco Videira Date: Thu, 19 Mar 2026 13:24:47 +0000 Subject: [PATCH 6/6] bump version in lock --- package-lock.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package-lock.json b/package-lock.json index d42cb9c5..81e1bfaf 100644 --- a/package-lock.json +++ b/package-lock.json @@ -100,7 +100,7 @@ }, "internal/events": { "name": "@nhsdigital/nhs-notify-event-schemas-supplier-api", - "version": "1.0.13", + "version": "1.0.14", "license": "MIT", "dependencies": { "@asyncapi/bundler": "^0.6.4",