Skip to content

Commit f15701d

Browse files
prajwalu142claude
andcommitted
chore: exclude GHSA-52v5-jr5w-gjxr from audit
## Problem Audit CI failing due to GHSA-52v5-jr5w-gjxr (HIGH) — sigstore <=4.1.0 silently drops certificateOIDs verification. Flagged via yeoman-generator > pacote@15.x > sigstore@^1.3.0 > 1.9.0. ## Goal Unblock audit CI with a documented exclusion. ## Fix Add GHSA-52v5-jr5w-gjxr to .iyarc. No patched path exists within the 5.x CJS-compatible yeoman-generator range; yeoman-generator is dev-time only (yarn sdk-coin:new) with no production runtime exposure. ## Testing Audit CI will pass once the exclusion is recognized by improved-yarn-audit. Ticket: INFOSEC-211 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
1 parent 4918ce9 commit f15701d

1 file changed

Lines changed: 9 additions & 0 deletions

File tree

.iyarc

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -115,3 +115,12 @@ GHSA-wcpc-wj8m-hjx6
115115
# - The prefix/postfix/template args are all hard-coded string constants in calling code,
116116
# not user-supplied — the type-confusion vector does not apply
117117
GHSA-7c78-jf6q-g5cm
118+
119+
# Excluded because:
120+
# - sigstore: certificateOIDs verification constraints silently dropped and never enforced
121+
# - Transitive dependency via yeoman-generator > pacote@15.x > sigstore@^1.3.0 (resolves to 1.9.0)
122+
# - yeoman-generator is dev-time only (yarn sdk-coin:new); no production runtime exposure
123+
# - pacote 15.x (the last version compatible with yeoman-generator 5.x CJS) pins sigstore@^1.x;
124+
# sigstore 4.x has a breaking API and cannot be forced via resolutions without breaking pacote
125+
# - yeoman-generator 6.x+ drops pacote entirely but is ESM-only, incompatible with our CJS generator
126+
GHSA-52v5-jr5w-gjxr

0 commit comments

Comments
 (0)