From 6f6eab05bad6f0fa53234f85d4147d062b42321b Mon Sep 17 00:00:00 2001
From: Angel Pastor <angel.pastor1@nhs.net>
Date: Wed, 14 Jan 2026 15:35:44 +0000
Subject: [PATCH 1/2] CCM-13769: dependencies fix

---
 .trivyignore | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/.trivyignore b/.trivyignore
index 2c4b016b8..e69de29bb 100644
--- a/.trivyignore
+++ b/.trivyignore
@@ -1,4 +0,0 @@
-# Remove after resolution as part of https://nhsd-jira.digital.nhs.uk/browse/CCM-13769
-CVE-2024-49761 # https://avd.aquasec.com/nvd/cve-2024-49761 ## latest Jekyll Webpack (0.2.7) installs old version of rexml
-CVE-2024-47220 # https://avd.aquasec.com/nvd/cve-2024-47220 ## latest lint_roller (1.1.0) installs old version of rexml
-CVE-2024-7254 # https://avd.aquasec.com/nvd/cve-2024-7254 ## latest Jekyll Webpack (0.2.7) installs old version of google-protobuf

From fb694ae41b59eb85962ad36f06f511511db90eb2 Mon Sep 17 00:00:00 2001
From: Angel Pastor <angel.pastor1@nhs.net>
Date: Wed, 14 Jan 2026 15:56:58 +0000
Subject: [PATCH 2/2] CCM-13769: dependencies

---
 docs/Gemfile | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/docs/Gemfile b/docs/Gemfile
index 6de59c26a..6b1db009e 100644
--- a/docs/Gemfile
+++ b/docs/Gemfile
@@ -42,3 +42,8 @@ gem 'sass-embedded', '1.78'
 gem 'jekyll-webpack'
 
 gem 'rubocop', require: false
+
+# Security: Explicit dependency pins to resolve CVEs
+gem 'google-protobuf', '>= 4.28.3'  # Addresses CVE-2024-7254
+gem 'rexml', '>= 3.3.9'              # Addresses CVE-2024-49761, CVE-2024-47220
+gem 'webrick', '~> 1.8'              # Standard Ruby web server for Jekyll serve