From 643614118a13b83461d8def6e4136736851ad385 Mon Sep 17 00:00:00 2001
From: Alex Luckett <alexgluckett@gmail.com>
Date: Fri, 7 Nov 2025 16:36:35 +0000
Subject: [PATCH] Switch to expr-eval-fork for security fixes (prototype
 pollution)

---
 package-lock.json                             | 13 +++++++++----
 package.json                                  |  2 +-
 src/server/plugins/engine/models/FormModel.ts |  2 +-
 src/server/plugins/engine/models/types.ts     |  2 +-
 4 files changed, 12 insertions(+), 7 deletions(-)

diff --git a/package-lock.json b/package-lock.json
index dac97be15..53b7c9341 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -35,7 +35,7 @@
         "convict": "^6.2.4",
         "date-fns": "^4.1.0",
         "dotenv": "^17.2.1",
-        "expr-eval": "^2.0.2",
+        "expr-eval-fork": "^3.0.0",
         "govuk-frontend": "^5.11.1",
         "hapi-pino": "^12.1.0",
         "hapi-pulse": "^3.0.1",
@@ -9203,9 +9203,14 @@
         "node": "^18.14.0 || ^20.0.0 || ^22.0.0 || >=24.0.0"
       }
     },
-    "node_modules/expr-eval": {
-      "version": "2.0.2",
-      "license": "MIT"
+    "node_modules/expr-eval-fork": {
+      "version": "3.0.0",
+      "resolved": "https://registry.npmjs.org/expr-eval-fork/-/expr-eval-fork-3.0.0.tgz",
+      "integrity": "sha512-29S+IZ2g8qSk5q7gOUYozO7zi4mj/sCVo+HB2h0f0ER4ZCZr9b/+5SWIedvV0SHq3IxBW2/TJrPn77YxMsoVwg==",
+      "license": "MIT",
+      "engines": {
+        "node": ">=16.9.0"
+      }
     },
     "node_modules/fast-copy": {
       "version": "3.0.2",
diff --git a/package.json b/package.json
index 21acf00c0..ee75df047 100644
--- a/package.json
+++ b/package.json
@@ -95,7 +95,7 @@
     "convict": "^6.2.4",
     "date-fns": "^4.1.0",
     "dotenv": "^17.2.1",
-    "expr-eval": "^2.0.2",
+    "expr-eval-fork": "^3.0.0",
     "govuk-frontend": "^5.11.1",
     "hapi-pino": "^12.1.0",
     "hapi-pulse": "^3.0.1",
diff --git a/src/server/plugins/engine/models/FormModel.ts b/src/server/plugins/engine/models/FormModel.ts
index f3802afb4..936aa6568 100644
--- a/src/server/plugins/engine/models/FormModel.ts
+++ b/src/server/plugins/engine/models/FormModel.ts
@@ -24,7 +24,7 @@ import {
   type Page
 } from '@defra/forms-model'
 import { add, format } from 'date-fns'
-import { Parser, type Value } from 'expr-eval'
+import { Parser, type Value } from 'expr-eval-fork'
 import joi from 'joi'
 
 import { createLogger } from '~/src/server/common/helpers/logging/logger.js'
diff --git a/src/server/plugins/engine/models/types.ts b/src/server/plugins/engine/models/types.ts
index 7f17c367a..980ad8f0a 100644
--- a/src/server/plugins/engine/models/types.ts
+++ b/src/server/plugins/engine/models/types.ts
@@ -3,7 +3,7 @@ import {
   type FormComponentsDef,
   type Section
 } from '@defra/forms-model'
-import { type Expression } from 'expr-eval'
+import { type Expression } from 'expr-eval-fork'
 
 import {
   getAnswer,