@dwp/govuk-casa 9.3.3 → 9.3.4

package/dist/routes/static.js

@@ -5,10 +5,10 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.default = staticRouter;
 const express_1 = __importDefault(require("express"));
-const fs_1 = require("fs");
-const url_1 = require("url");
-const path_1 = require("path");
-const module_1 = require("module");
+const node_fs_1 = require("node:fs");
+const node_url_1 = require("node:url");
+const node_path_1 = require("node:path");
+const node_module_1 = require("node:module");
 const dirname_cjs_1 = __importDefault(require("./dirname.cjs"));
 const MutableRouter_js_1 = __importDefault(require("../lib/MutableRouter.js"));
 const utils_js_1 = require("../lib/utils.js");
@@ -33,11 +33,10 @@ function staticRouter({ maxAge = 3600000 } = {}) {
         next(new Error("404"));
     };
     const setHeaders = (req, res, next) => {
-        var _a;
         res.set("cache-control", "public");
         res.set("pragma", "cache");
         res.set("expires", new Date(Date.now() + oneDay).toUTCString());
-        const { pathname } = new url_1.URL((_a = req === null || req === void 0 ? void 0 : req.originalUrl) !== null && _a !== void 0 ? _a : "", "https://placeholder.test/");
+        const { pathname } = new node_url_1.URL(req?.originalUrl ?? "", "https://placeholder.test/");
         if (pathname.substr(-4) === ".css") {
             // Just needed for our in-memory CSS assets
             res.set("content-type", "text/css");
@@ -56,17 +55,17 @@ function staticRouter({ maxAge = 3600000 } = {}) {
     // must be replaced with the dynamic `mountUrl` to ensure govuk-frontend
     // assets are served from the correct location.
     /* eslint-disable security/detect-non-literal-fs-filename */
-    const casaCss = (0, fs_1.readFileSync)((0, path_1.resolve)(dirname_cjs_1.default, "../../dist/assets/css/casa.css"), { encoding: "utf8" });
+    const casaCss = (0, node_fs_1.readFileSync)((0, node_path_1.resolve)(dirname_cjs_1.default, "../../dist/assets/css/casa.css"), { encoding: "utf8" });
     /* eslint-enable security/detect-non-literal-fs-filename */
     // The static middleware will only server GET/HEAD requests, so we can mount
     // the middleware using `use()` rather than resorting to `get()`
-    const govukFrontendDirectory = (0, path_1.resolve)((0, module_1.createRequire)(dirname_cjs_1.default).resolve("govuk-frontend"), "../../");
+    const govukFrontendDirectory = (0, node_path_1.resolve)((0, node_module_1.createRequire)(dirname_cjs_1.default).resolve("govuk-frontend"), "../../");
     router.use("/govuk/govuk-frontend.min.js", ExpressStatic(`${govukFrontendDirectory}/govuk/govuk-frontend.min.js`, staticConfig));
     router.use("/govuk/govuk-frontend.min.js.map", ExpressStatic(`${govukFrontendDirectory}/govuk/govuk-frontend.min.js.map`, staticConfig));
     router.use("/govuk/assets", ExpressStatic(`${govukFrontendDirectory}/govuk/assets`, staticConfig));
     router.use("/govuk/assets", notFoundHandler);
     router.get("/casa/assets/css/casa.css", setHeaders, (req, res) => res.send(casaCss.replace(/~~~CASA_MOUNT_URL~~~/g, (0, utils_js_1.validateUrlPath)(`${req.baseUrl}/`))));
-    router.use("/casa/assets/css/casa.css.map", ExpressStatic((0, path_1.resolve)(dirname_cjs_1.default, "../../dist/assets/css/casa.css.map")));
+    router.use("/casa/assets/css/casa.css.map", ExpressStatic((0, node_path_1.resolve)(dirname_cjs_1.default, "../../dist/assets/css/casa.css.map")));
     router.use("/casa/assets", notFoundHandler);
     return router;
 }

package/dist/routes/static.js.map

@@ -1 +1 @@
-{"version":3,"file":"static.js","sourceRoot":"","sources":["../../src/routes/static.js"],"names":[],"mappings":";;;;;AA2BA,+BAoFC;AA/GD,sDAAgC;AAChC,2BAAkC;AAClC,6BAA0B;AAC1B,+BAA+B;AAC/B,mCAAuC;AAEvC,gEAAoC;AACpC,+EAAoD;AACpD,8CAAkD;AAElD,MAAM,EAAE,MAAM,EAAE,aAAa,EAAE,GAAG,iBAAS,CAAC,CAAC,WAAW;AAExD,MAAM,MAAM,GAAG,QAAQ,CAAC;AAExB;;;;GAIG;AAEH;;;;;;GAMG;AACH,SAAwB,YAAY,CAAC,EAAE,MAAM,GAAG,OAAO,EAAE,GAAG,EAAE;IAC5D,MAAM,MAAM,GAAG,IAAI,0BAAa,EAAE,CAAC;IAEnC,MAAM,eAAe,GAAG,CAAC,GAAG,EAAE,GAAG,EAAE,IAAI,EAAE,EAAE;QACzC,kDAAkD;QAClD,IAAI,CAAC,IAAI,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC;IACzB,CAAC,CAAC;IAEF,MAAM,UAAU,GAAG,CAAC,GAAG,EAAE,GAAG,EAAE,IAAI,EAAE,EAAE;;QACpC,GAAG,CAAC,GAAG,CAAC,eAAe,EAAE,QAAQ,CAAC,CAAC;QACnC,GAAG,CAAC,GAAG,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;QAC3B,GAAG,CAAC,GAAG,CAAC,SAAS,EAAE,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,MAAM,CAAC,CAAC,WAAW,EAAE,CAAC,CAAC;QAChE,MAAM,EAAE,QAAQ,EAAE,GAAG,IAAI,SAAG,CAC1B,MAAA,GAAG,aAAH,GAAG,uBAAH,GAAG,CAAE,WAAW,mCAAI,EAAE,EACtB,2BAA2B,CAC5B,CAAC;QACF,IAAI,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,KAAK,MAAM,EAAE,CAAC;YACnC,2CAA2C;YAC3C,GAAG,CAAC,GAAG,CAAC,cAAc,EAAE,UAAU,CAAC,CAAC;QACtC,CAAC;QACD,IAAI,EAAE,CAAC;IACT,CAAC,CAAC;IAEF,MAAM,YAAY,GAAG;QACnB,IAAI,EAAE,IAAI;QACV,YAAY,EAAE,KAAK;QACnB,MAAM;QACN,UAAU,EAAE,CAAC,GAAG,EAAE,EAAE;YAClB,UAAU,CAAC,IAAI,EAAE,GAAG,EAAE,GAAG,EAAE,GAAE,CAAC,CAAC,CAAC;QAClC,CAAC;KACF,CAAC;IAEF,4EAA4E;IAC5E,wEAAwE;IACxE,+CAA+C;IAC/C,4DAA4D;IAC5D,MAAM,OAAO,GAAG,IAAA,iBAAY,EAC1B,IAAA,cAAO,EAAC,qBAAO,EAAE,gCAAgC,CAAC,EAClD,EAAE,QAAQ,EAAE,MAAM,EAAE,CACrB,CAAC;IACF,2DAA2D;IAE3D,4EAA4E;IAC5E,gEAAgE;IAChE,MAAM,sBAAsB,GAAG,IAAA,cAAO,EACpC,IAAA,sBAAa,EAAC,qBAAO,CAAC,CAAC,OAAO,CAAC,gBAAgB,CAAC,EAChD,QAAQ,CACT,CAAC;IAEF,MAAM,CAAC,GAAG,CACR,8BAA8B,EAC9B,aAAa,CACX,GAAG,sBAAsB,8BAA8B,EACvD,YAAY,CACb,CACF,CAAC;IACF,MAAM,CAAC,GAAG,CACR,kCAAkC,EAClC,aAAa,CACX,GAAG,sBAAsB,kCAAkC,EAC3D,YAAY,CACb,CACF,CAAC;IACF,MAAM,CAAC,GAAG,CACR,eAAe,EACf,aAAa,CAAC,GAAG,sBAAsB,eAAe,EAAE,YAAY,CAAC,CACtE,CAAC;IACF,MAAM,CAAC,GAAG,CAAC,eAAe,EAAE,eAAe,CAAC,CAAC;IAE7C,MAAM,CAAC,GAAG,CAAC,2BAA2B,EAAE,UAAU,EAAE,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE,CAC/D,GAAG,CAAC,IAAI,CACN,OAAO,CAAC,OAAO,CACb,uBAAuB,EACvB,IAAA,0BAAe,EAAC,GAAG,GAAG,CAAC,OAAO,GAAG,CAAC,CACnC,CACF,CACF,CAAC;IACF,MAAM,CAAC,GAAG,CACR,+BAA+B,EAC/B,aAAa,CAAC,IAAA,cAAO,EAAC,qBAAO,EAAE,oCAAoC,CAAC,CAAC,CACtE,CAAC;IACF,MAAM,CAAC,GAAG,CAAC,cAAc,EAAE,eAAe,CAAC,CAAC;IAE5C,OAAO,MAAM,CAAC;AAChB,CAAC"}
+{"version":3,"file":"static.js","sourceRoot":"","sources":["../../src/routes/static.js"],"names":[],"mappings":";;;;;AA2BA,+BAoFC;AA/GD,sDAAgC;AAChC,qCAAuC;AACvC,uCAA+B;AAC/B,yCAAoC;AACpC,6CAA4C;AAE5C,gEAAoC;AACpC,+EAAoD;AACpD,8CAAkD;AAElD,MAAM,EAAE,MAAM,EAAE,aAAa,EAAE,GAAG,iBAAS,CAAC,CAAC,WAAW;AAExD,MAAM,MAAM,GAAG,QAAQ,CAAC;AAExB;;;;GAIG;AAEH;;;;;;GAMG;AACH,SAAwB,YAAY,CAAC,EAAE,MAAM,GAAG,OAAO,EAAE,GAAG,EAAE;IAC5D,MAAM,MAAM,GAAG,IAAI,0BAAa,EAAE,CAAC;IAEnC,MAAM,eAAe,GAAG,CAAC,GAAG,EAAE,GAAG,EAAE,IAAI,EAAE,EAAE;QACzC,kDAAkD;QAClD,IAAI,CAAC,IAAI,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC;IACzB,CAAC,CAAC;IAEF,MAAM,UAAU,GAAG,CAAC,GAAG,EAAE,GAAG,EAAE,IAAI,EAAE,EAAE;QACpC,GAAG,CAAC,GAAG,CAAC,eAAe,EAAE,QAAQ,CAAC,CAAC;QACnC,GAAG,CAAC,GAAG,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;QAC3B,GAAG,CAAC,GAAG,CAAC,SAAS,EAAE,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,MAAM,CAAC,CAAC,WAAW,EAAE,CAAC,CAAC;QAChE,MAAM,EAAE,QAAQ,EAAE,GAAG,IAAI,cAAG,CAC1B,GAAG,EAAE,WAAW,IAAI,EAAE,EACtB,2BAA2B,CAC5B,CAAC;QACF,IAAI,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,KAAK,MAAM,EAAE,CAAC;YACnC,2CAA2C;YAC3C,GAAG,CAAC,GAAG,CAAC,cAAc,EAAE,UAAU,CAAC,CAAC;QACtC,CAAC;QACD,IAAI,EAAE,CAAC;IACT,CAAC,CAAC;IAEF,MAAM,YAAY,GAAG;QACnB,IAAI,EAAE,IAAI;QACV,YAAY,EAAE,KAAK;QACnB,MAAM;QACN,UAAU,EAAE,CAAC,GAAG,EAAE,EAAE;YAClB,UAAU,CAAC,IAAI,EAAE,GAAG,EAAE,GAAG,EAAE,GAAE,CAAC,CAAC,CAAC;QAClC,CAAC;KACF,CAAC;IAEF,4EAA4E;IAC5E,wEAAwE;IACxE,+CAA+C;IAC/C,4DAA4D;IAC5D,MAAM,OAAO,GAAG,IAAA,sBAAY,EAC1B,IAAA,mBAAO,EAAC,qBAAO,EAAE,gCAAgC,CAAC,EAClD,EAAE,QAAQ,EAAE,MAAM,EAAE,CACrB,CAAC;IACF,2DAA2D;IAE3D,4EAA4E;IAC5E,gEAAgE;IAChE,MAAM,sBAAsB,GAAG,IAAA,mBAAO,EACpC,IAAA,2BAAa,EAAC,qBAAO,CAAC,CAAC,OAAO,CAAC,gBAAgB,CAAC,EAChD,QAAQ,CACT,CAAC;IAEF,MAAM,CAAC,GAAG,CACR,8BAA8B,EAC9B,aAAa,CACX,GAAG,sBAAsB,8BAA8B,EACvD,YAAY,CACb,CACF,CAAC;IACF,MAAM,CAAC,GAAG,CACR,kCAAkC,EAClC,aAAa,CACX,GAAG,sBAAsB,kCAAkC,EAC3D,YAAY,CACb,CACF,CAAC;IACF,MAAM,CAAC,GAAG,CACR,eAAe,EACf,aAAa,CAAC,GAAG,sBAAsB,eAAe,EAAE,YAAY,CAAC,CACtE,CAAC;IACF,MAAM,CAAC,GAAG,CAAC,eAAe,EAAE,eAAe,CAAC,CAAC;IAE7C,MAAM,CAAC,GAAG,CAAC,2BAA2B,EAAE,UAAU,EAAE,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE,CAC/D,GAAG,CAAC,IAAI,CACN,OAAO,CAAC,OAAO,CACb,uBAAuB,EACvB,IAAA,0BAAe,EAAC,GAAG,GAAG,CAAC,OAAO,GAAG,CAAC,CACnC,CACF,CACF,CAAC;IACF,MAAM,CAAC,GAAG,CACR,+BAA+B,EAC/B,aAAa,CAAC,IAAA,mBAAO,EAAC,qBAAO,EAAE,oCAAoC,CAAC,CAAC,CACtE,CAAC;IACF,MAAM,CAAC,GAAG,CAAC,cAAc,EAAE,eAAe,CAAC,CAAC;IAE5C,OAAO,MAAM,CAAC;AAChB,CAAC"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@dwp/govuk-casa",
-  "version": "9.3.3",
+  "version": "9.3.4",
   "description": "A framework for building GOVUK Collect-And-Submit-Applications",
   "repository": {
     "type": "git",
@@ -56,49 +56,50 @@
     "deepmerge": "4.3.1",
     "express": "4.21.1",
     "express-session": "1.18.1",
-    "govuk-frontend": "5.7.0",
-    "helmet": "7.1.0",
-    "i18next": "23.15.2",
+    "govuk-frontend": "5.7.1",
+    "helmet": "7.2.0",
+    "i18next": "23.16.4",
     "i18next-http-middleware": "3.6.0",
     "js-yaml": "4.1.0",
     "lodash": "4.17.21",
     "luxon": "3.5.0",
     "nunjucks": "3.2.4",
     "path-to-regexp": "8.2.0",
+    "rfdc": "1.4.1",
     "validator": "13.12.0"
   },
   "devDependencies": {
-    "@babel/core": "7.25.2",
-    "@babel/eslint-parser": "7.25.1",
-    "@babel/preset-env": "7.25.4",
+    "@babel/core": "7.26.0",
+    "@babel/eslint-parser": "7.25.9",
+    "@babel/preset-env": "7.26.0",
     "@ckeditor/jsdoc-plugins": "42.1.0",
-    "@commitlint/config-conventional": "19.4.1",
-    "@dwp/casa-spiderplan": "4.0.0",
-    "@dwp/casa-spiderplan-a11y-plugin": "1.0.0",
+    "@commitlint/config-conventional": "19.5.0",
+    "@dwp/casa-spiderplan": "4.0.2",
+    "@dwp/casa-spiderplan-a11y-plugin": "1.0.1",
     "@dwp/casa-spiderplan-zap-plugin": "1.0.0",
     "@dwp/eslint-config-base": "7.0.0",
     "@types/express": "4.17.21",
-    "@types/node": "22.5.4",
+    "@types/node": "22.8.6",
     "@types/nunjucks": "3.2.6",
     "c8": "10.1.2",
-    "chai": "5.1.1",
+    "chai": "5.1.2",
     "cheerio": "1.0.0",
-    "commitlint": "19.3.0",
+    "commitlint": "19.5.0",
     "docdash": "2.0.2",
-    "eslint": "8.57.0",
-    "eslint-plugin-import": "2.30.0",
-    "eslint-plugin-jsdoc": "48.7.0",
+    "eslint": "8.57.1",
+    "eslint-plugin-import": "2.31.0",
+    "eslint-plugin-jsdoc": "48.11.0",
     "eslint-plugin-security": "2.1.1",
     "eslint-plugin-sonarjs": "0.25.1",
-    "fast-check": "3.22.0",
-    "jsdoc": "4.0.3",
+    "fast-check": "3.23.0",
+    "jsdoc": "4.0.4",
     "jsdoc-tsimport-plugin": "1.0.5",
-    "mocha": "10.7.3",
+    "mocha": "10.8.2",
     "prettier": "3.3.3",
     "prettier-plugin-jsdoc": "1.3.0",
-    "sass": "1.78.0",
-    "sinon": "18.0.0",
+    "sass": "1.80.6",
+    "sinon": "18.0.1",
     "supertest": "7.0.0",
-    "typescript": "5.5.4"
+    "typescript": "5.6.3"
   }
 }

package/src/lib/JourneyContext.js

@@ -7,17 +7,20 @@
  * - Navigation information about how the user got where they are.
  */
 import lodash from "lodash";
+import rfdc from "rfdc";
 import ValidationError from "./ValidationError.js";
 import logger from "./logger.js";
 import { notProto } from "./utils.js";
 import { uuid as uuidGenerator } from "./context-id-generators.js";
 
-const { isPlainObject, isObject, has, isEqual } = lodash; // CommonJS
+const { isPlainObject, isObject, isEqual } = lodash; // CommonJS
 
 const log = logger("lib:journey-context");
 
 const uuid = uuidGenerator();
 
+const clone = rfdc({ proto: false });
+
 /**
  * @typedef {import("../casa").ContextEventUserInfo} ContextEventUserInfo
  * @access private
@@ -123,10 +126,10 @@ export default class JourneyContext {
    */
   toObject() {
     return Object.assign(Object.create(null), {
-      data: structuredClone(this.#data),
-      validation: structuredClone(this.#validation),
-      nav: structuredClone(this.#nav),
-      identity: structuredClone(this.#identity),
+      data: clone(this.#data),
+      validation: clone(this.#validation),
+      nav: clone(this.#nav),
+      identity: clone(this.#identity),
     });
   }
 
@@ -294,11 +297,11 @@ export default class JourneyContext {
       );
     }
 
-    errors.forEach((error) => {
+    for (const error of errors) {
       if (!(error instanceof ValidationError)) {
         throw new SyntaxError("Field errors must be a ValidationError");
       }
-    });
+    }
 
     this.#validation[validateObjectKey(pageId)] = errors;
 
@@ -562,7 +565,7 @@ export default class JourneyContext {
     }
 
     // Initialise new context list in the session
-    if (!has(session, "journeyContextList")) {
+    if (!Object.hasOwn(session, "journeyContextList")) {
       log.trace("Initialising session with a default journey context list");
       /* eslint-disable-next-line no-param-reassign */
       session.journeyContextList = [];
@@ -738,7 +741,7 @@ export default class JourneyContext {
    * @returns {Array} Array of contexts
    */
   static getContexts(session) {
-    if (has(session, "journeyContextList")) {
+    if (session && Object.hasOwn(session, "journeyContextList")) {
       return session.journeyContextList.map(([, contextObj]) =>
         JourneyContext.fromObject(contextObj),
       );
@@ -768,7 +771,7 @@ export default class JourneyContext {
     }
 
     // Initialise the session if necessary
-    if (!has(session, "journeyContextList")) {
+    if (Object.hasOwn(session, "journeyContextList") === false) {
       JourneyContext.initContextStore(session);
     }
 
@@ -844,9 +847,9 @@ export default class JourneyContext {
    * @returns {void}
    */
   static removeContextsByTag(session, tag) {
-    JourneyContext.getContextsByTag(session, tag).forEach((c) =>
-      JourneyContext.removeContext(session, c),
-    );
+    for (const c of JourneyContext.getContextsByTag(session, tag)) {
+      JourneyContext.removeContext(session, c);
+    }
   }
 
   /**
@@ -856,9 +859,9 @@ export default class JourneyContext {
    * @returns {void}
    */
   static removeContexts(session) {
-    JourneyContext.getContexts(session).forEach((c) =>
-      JourneyContext.removeContext(session, c),
-    );
+    for (const c of JourneyContext.getContexts(session)) {
+      JourneyContext.removeContext(session, c);
+    }
   }
 
   /**
@@ -875,13 +878,13 @@ export default class JourneyContext {
     JourneyContext.initContextStore(req.session);
 
     let contextId;
-    if (has(req?.params, "contextid")) {
+    if (req.params && Object.hasOwn(req.params, "contextid")) {
       log.trace("Context ID found in req.params.contextid");
       contextId = String(req.params.contextid);
-    } else if (has(req.query, "contextid")) {
+    } else if (req.query && Object.hasOwn(req.query, "contextid")) {
       log.trace("Context ID found in req.query.contextid");
       contextId = String(req.query.contextid);
-    } else if (has(req?.body, "contextid")) {
+    } else if (req.body && Object.hasOwn(req.body, "contextid")) {
       log.trace("Context ID found in req.body.contextid");
       contextId = String(req.body.contextid);
     } else {

package/src/lib/MutableRouter.js

@@ -84,12 +84,12 @@ export default class MutableRouter {
       return this.#router;
     }
 
-    this.#stack.forEach(({ method, args }) => {
+    for (const { method, args } of this.#stack) {
       // ESLint disabled as `#router` is dev-controlled, and `seal()` is only
       // run at boot-time before any user interaction
       /* eslint-disable-next-line security/detect-object-injection */
       this.#router[method].call(this.#router, ...args);
-    });
+    }
 
     this.#sealed = true;
 

package/src/lib/Plan.js

@@ -40,10 +40,7 @@ const log = logger("lib:plan");
  * @access private
  */
 function defaultNextFollow(r, context) {
-  const { validation: v = {} } = context.toObject();
-  return (
-    Object.prototype.hasOwnProperty.call(v, r.source) && v[r.source] === null
-  );
+  return context.validation?.[r.source] === null;
 }
 
 /**
@@ -54,10 +51,7 @@ function defaultNextFollow(r, context) {
  * @access private
  */
 function defaultPrevFollow(r, context) {
-  const { validation: v = {} } = context.toObject();
-  return (
-    Object.prototype.hasOwnProperty.call(v, r.target) && v[r.target] === null
-  );
+  return context.validation?.[r.target] === null;
 }
 
 /**

package/src/lib/ValidationError.js

@@ -113,7 +113,7 @@ export default class ValidationError {
     // Duplicate parameters to make them available in public scope. These are
     // the values that will be readable, and reflect any context that may have
     // been applied
-    Object.keys(originals).forEach((o) => {
+    for (const o of Object.keys(originals)) {
       // ESLint disabled as `o` is an "own" property of `originals`, which is
       // dev-controlled
       /* eslint-disable security/detect-object-injection */
@@ -123,7 +123,7 @@ export default class ValidationError {
         writable: true,
       });
       /* eslint-enable security/detect-object-injection */
-    });
+    }
   }
 
   /**

package/src/lib/configuration-ingestor.js

@@ -58,13 +58,14 @@ export function validateI18nDirs(dirs = []) {
   if (!Array.isArray(dirs)) {
     throw new TypeError("I18n directories must be an array (i18n.dirs)");
   }
-  dirs.forEach((dir, i) => {
+  for (let i = 0; i < dirs.length; i++) {
+    const dir = dirs[i];
     if (typeof dir !== "string") {
       throw new TypeError(
         `I18n directory must be a string, got ${typeof dir} (i18n.dirs[${i}])`,
       );
     }
-  });
+  }
   return dirs;
 }
 
@@ -81,13 +82,14 @@ export function validateI18nLocales(locales = ["en", "cy"]) {
   if (!Array.isArray(locales)) {
     throw new TypeError("I18n locales must be an array (i18n.locales)");
   }
-  locales.forEach((locale, i) => {
+  for (let i = 0; i < locales.length; i++) {
+    const locale = locales[i];
     if (typeof locale !== "string") {
       throw new TypeError(
         `I18n locale must be a string, got ${typeof locale} (i18n.locales[${i}])`,
       );
     }
-  });
+  }
   return locales;
 }
 
@@ -146,13 +148,14 @@ export function validateViews(dirs = []) {
   if (!Array.isArray(dirs)) {
     throw new TypeError("View directories must be an array (views)");
   }
-  dirs.forEach((dir, i) => {
+  for (let i = 0; i < dirs.length; i++) {
+    const dir = dirs[i];
     if (typeof dir !== "string") {
       throw new TypeError(
         `View directory must be a string, got ${typeof dir} (views[${i}])`,
       );
     }
-  });
+  }
   return dirs;
 }
 
@@ -336,7 +339,9 @@ export function validatePageHooks(hooks) {
   if (!Array.isArray(hooks)) {
     throw new TypeError("Hooks must be an array");
   }
-  hooks.forEach((hook, index) => validatePageHook(hook, index));
+  for (let i = 0; i < hooks.length; i++) {
+    validatePageHook(hooks[i], i);
+  }
   return hooks;
 }
 
@@ -357,7 +362,9 @@ export function validateFields(fields) {
   if (!Array.isArray(fields)) {
     throw new TypeError("Page fields must be an array (page[].fields)");
   }
-  fields.forEach((hook, index) => validateField(hook, index));
+  for (let i = 0; i < fields.length; i++) {
+    validateField(fields[i], i);
+  }
   return fields;
 }
 
@@ -384,7 +391,9 @@ export function validatePages(pages = []) {
   if (!Array.isArray(pages)) {
     throw new TypeError("Pages must be an array (pages)");
   }
-  pages.forEach((page, index) => validatePage(page, index));
+  for (let i = 0; i < pages.length; i++) {
+    validatePage(pages[i], i);
+  }
   return pages;
 }
 
@@ -419,12 +428,12 @@ export function validateGlobalHooks(hooks) {
   if (hooks === undefined) {
     return [];
   }
-
   if (!Array.isArray(hooks)) {
     throw new TypeError("Hooks must be an array");
   }
-
-  hooks.forEach((hook, index) => validateGlobalHook(hook, index));
+  for (let i = 0; i < hooks.length; i++) {
+    validateGlobalHook(hooks[i], i);
+  }
   return hooks;
 }
 

package/src/lib/configure.js

@@ -1,6 +1,6 @@
 import { MemoryStore } from "express-session";
-import { resolve } from "path";
-import { createRequire } from "module";
+import { resolve } from "node:path";
+import { createRequire } from "node:module";
 import cookieParserFactory from "cookie-parser";
 import dirname from "./dirname.cjs";
 
@@ -49,9 +49,9 @@ import { CONFIG_ERROR_VISIBILITY_ONSUBMIT } from "./constants.js";
 export default function configure(config = {}) {
   // Pass the raw config through each plugin's configure phase so they can
   // optionally modify it
-  (config.plugins ?? []).forEach((plugin) => {
+  for (const plugin of config.plugins ?? []) {
     plugin.configure(config);
-  });
+  }
 
   // Extract config
   const ingestedConfig = configurationIngestor(config);
@@ -84,10 +84,13 @@ export default function configure(config = {}) {
   } = ingestedConfig;
 
   // Prepare all page hooks so they are prefixed with the `journey.` scope.
-  pages.forEach((page) => {
-    /* eslint-disable-next-line no-param-reassign,no-return-assign */
-    (page?.hooks ?? []).forEach((h) => (h.hook = `journey.${h.hook}`));
-  });
+  for (const page of pages) {
+    if (page?.hooks) {
+      for (const h of page.hooks) {
+        h.hook = `journey.${h.hook}`
+      }
+    }
+  }
 
   // Prepare a Nunjucks environment for rendering all templates.
   // Resolve priority: userland templates > CASA templates > GOVUK templates > Plugin templates
@@ -207,9 +210,9 @@ export default function configure(config = {}) {
   };
 
   // Bootstrap all plugins
-  plugins
-    .filter((p) => p.bootstrap)
-    .forEach((plugin) => plugin?.bootstrap(configOutput));
+  for (const plugin of plugins.filter((p) => p.bootstrap)) {
+    plugin?.bootstrap(configOutput)
+  }
 
   // Finished configuration
   return configOutput;

package/src/lib/end-session.js

@@ -18,14 +18,14 @@ const log = logger("lib:end-session");
 export default function endSession(req, next) {
   const { language } = req.session;
 
-  Object.entries(req.session).forEach(([k]) => {
-    if (!["cookie"].includes(k)) {
-      // ESLint disabled as `Object.entries()` returns "own" properties, and
+  for (const key of Object.keys(req.session)) {
+    if (!["cookie"].includes(key)) {
+      // ESLint disabled as `Object.keys()` returns "own" properties, and
       // all values are being null'd, so not assigned any user-controlled values
       /* eslint-disable-next-line security/detect-object-injection */
-      req.session[k] = null;
+      req.session[key] = null;
     }
-  });
+  }
 
   req.session.save((saveErr) => {
     if (saveErr) {

package/src/lib/nunjucks-filters.js

@@ -11,7 +11,8 @@ const { all: deepmergeAll } = merge;
 const combineMerge = (target, source, options) => {
   const destination = target.slice();
 
-  source.forEach((item, index) => {
+  for (let index = 0; index < source.length; index++) {
+    const item = source[index];
     // ESLint disabled as `index` is only an integer
     /* eslint-disable security/detect-object-injection */
     if (typeof destination[index] === "undefined") {
@@ -22,7 +23,7 @@ const combineMerge = (target, source, options) => {
       destination.push(item);
     }
     /* eslint-enable security/detect-object-injection */
-  });
+  }
   return destination;
 };
 
@@ -48,8 +49,7 @@ function isPlainObjectOrArray(o) {
   if (isObject(prot) === false) {
     return false;
   }
-  // eslint-disable-next-line no-prototype-builtins
-  return prot.hasOwnProperty("isPrototypeOf");
+  return Object.hasOwn(prot, "isPrototypeOf");
 }
 
 function mergeObjects(...objects) {
@@ -120,7 +120,7 @@ function formatDateObject(date, config = {}) {
 function renderAsAttributes(attrsObject) {
   const attrsList = [];
   if (typeof attrsObject === "object") {
-    Object.keys(attrsObject).forEach((key) => {
+    for (const key of Object.keys(attrsObject)) {
       // ESLint disable as `attrsObject` is dev-controlled, `Object.keys()` has
       // been used (to get "own" properties) and `m` is one of the characters
       // found by the regex.
@@ -138,7 +138,7 @@ function renderAsAttributes(attrsObject) {
       );
       /* eslint-enable security/detect-object-injection */
       attrsList.push(`${key}="${value}"`);
-    });
+    }
   }
   return new nunjucks.runtime.SafeString(attrsList.join(" "));
 }

package/src/lib/nunjucks.js

@@ -1,5 +1,5 @@
-import { readFileSync } from "fs";
-import { resolve } from "path";
+import { readFileSync } from "node:fs";
+import { resolve } from "node:path";
 import { Environment } from "nunjucks";
 import dirname from "./dirname.cjs";
 import CasaTemplateLoader from "./CasaTemplateLoader.js";

package/src/lib/validators/dateObject.js

@@ -98,11 +98,11 @@ export default class DateObject extends ValidatorFactory {
         formats: ["dd-MMM-yyyy", "dd-MMMM-yyyy"],
       },
     ];
-    formatTests.forEach((test) => {
+    for (const test of formatTests) {
       if (test.flags.every((v) => v === true)) {
         formats = [...formats, ...test.formats];
       }
-    });
+    };
 
     if (typeof value === "object") {
       formats.find((format) => {
@@ -145,13 +145,13 @@ export default class DateObject extends ValidatorFactory {
       // Check presence of each object component (dd, mm, yyyy) in order to log
       // which specific parts are in error
       errorMsg.focusSuffix = [];
-      if (!Object.prototype.hasOwnProperty.call(value, "dd") || !value.dd) {
+      if (!Object.hasOwn(value, "dd") || !value.dd) {
         errorMsg.focusSuffix.push("[dd]");
       }
-      if (!Object.prototype.hasOwnProperty.call(value, "mm") || !value.mm) {
+      if (!Object.hasOwn(value, "mm") || !value.mm) {
         errorMsg.focusSuffix.push("[mm]");
       }
-      if (!Object.prototype.hasOwnProperty.call(value, "yyyy") || !value.yyyy) {
+      if (!Object.hasOwn(value, "yyyy") || !value.yyyy) {
         errorMsg.focusSuffix.push("[yyyy]");
       }
 

package/src/lib/validators/postalAddressObject.js

@@ -95,13 +95,11 @@ export default class PostalAddressObject extends ValidatorFactory {
     // Work out required/optional parts based on config
     const reqF = Object.create(null);
     const reqC = cfg.requiredFields;
-    ["address1", "address2", "address3", "address4", "postcode"].forEach(
-      (k) => {
-        // ESLint disabled as `k` is a known value from a constant list
-        /* eslint-disable-next-line security/detect-object-injection */
-        reqF[k] = reqC.indexOf(k) > -1;
-      },
-    );
+    reqF.address1 = reqC.indexOf("address1") > -1;
+    reqF.address2 = reqC.indexOf("address2") > -1;
+    reqF.address3 = reqC.indexOf("address3") > -1;
+    reqF.address4 = reqC.indexOf("address4") > -1;
+    reqF.postcode = reqC.indexOf("postcode") > -1;
 
     let valid = true;
     const errorMsgs = [];
@@ -129,9 +127,9 @@ export default class PostalAddressObject extends ValidatorFactory {
       };
       // ESLint disabled as `k` is a known value from the constant list above
       /* eslint-disable security/detect-object-injection */
-      Object.keys(attributes).forEach((k) => {
+      for (const k of Object.keys(attributes)) {
         const attr = attributes[k];
-        const hasProperty = Object.prototype.hasOwnProperty.call(value, k);
+        const hasProperty = Object.hasOwn(value, k);
         const hasContent = hasProperty && value[k].length > 0;
 
         const condMissingOrRegexMismatch =
@@ -147,7 +145,7 @@ export default class PostalAddressObject extends ValidatorFactory {
             }),
           );
         }
-      });
+      }
       /* eslint-enable security/detect-object-injection */
     } else {
       valid = false;

package/src/middleware/data.js

@@ -1,18 +1,15 @@
 // Decorates the request with some contextual data about the user's journey
 // through the application. This is used by downstream middleware and templates.
 
-import lodash from "lodash";
 import JourneyContext from "../lib/JourneyContext.js";
 import { validateUrlPath } from "../lib/utils.js";
 import waypointUrl from "../lib/waypoint-url.js";
 
-const { has } = lodash;
-
 const editOrigin = (req) => {
-  if (has(req.query, "editorigin")) {
+  if (Object.hasOwn(req.query, "editorigin")) {
     return waypointUrl({ waypoint: req.query.editorigin });
   }
-  if (has(req?.body, "editorigin")) {
+  if (req.body && Object.hasOwn(req.body, "editorigin")) {
     return waypointUrl({ waypoint: req.body.editorigin });
   }
   return "";
@@ -39,8 +36,8 @@ export default function dataMiddleware({ plan, events, contextIdGenerator }) {
 
         // Edit mode
         editMode:
-          (has(req?.query, "edit") && has(req?.query, "editorigin")) ||
-          (has(req?.body, "edit") && has(req?.body, "editorigin")),
+          (Object.hasOwn(req.query, "edit") && Object.hasOwn(req.query, "editorigin")) ||
+          (Object.hasOwn(req.body, "edit") && Object.hasOwn(req.body, "editorigin")),
         editOrigin: editOrigin(req),
       };