Skip to content

fix(root): bump sigstore to 4.1.1 to fix GHSA-52v5-jr5w-gjxr#9170

Merged
danielpeng1 merged 1 commit into
masterfrom
yashvanthbl137/cgd-2015-fix-sigstore-high-vulnerability-ghsa-52v5-jr5w-gjxr-in
Jul 2, 2026
Merged

fix(root): bump sigstore to 4.1.1 to fix GHSA-52v5-jr5w-gjxr#9170
danielpeng1 merged 1 commit into
masterfrom
yashvanthbl137/cgd-2015-fix-sigstore-high-vulnerability-ghsa-52v5-jr5w-gjxr-in

Conversation

@yashvanthbl137-crypto

@yashvanthbl137-crypto yashvanthbl137-crypto commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

Summary

  • Pin sigstore to 4.1.1 via yarn resolution to fix HIGH severity audit failure (GHSA-52v5-jr5w-gjxr)
  • Remove stale .iyarc exclusions (GHSA-rpr9-rxv7-x643, GHSA-gv7w-rqvm-qjhr) that are no longer reported by yarn audit

Context

CI improved-yarn-audit --min-severity high was failing due to a vulnerable transitive sigstore dependency via lerna and yeoman-generator (pacote / libnpmpublish).

Changes

  • package.json: add sigstore resolution to 4.1.1
  • yarn.lock: update lockfile
  • .iyarc: remove stale exclusions

Test plan

  • yarn run improved-yarn-audit --min-severity high --retry-on-network-failure passes with 0 vulnerabilities
  • No stale-exclusion warnings from .iyarc

Ticket: CGD-2015

@linear-code

linear-code Bot commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

CGD-2015

@yashvanthbl137-crypto yashvanthbl137-crypto marked this pull request as ready for review July 2, 2026 13:26
@yashvanthbl137-crypto yashvanthbl137-crypto requested review from a team as code owners July 2, 2026 13:26

@bhargavirao24 bhargavirao24 left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. Sigstore pinned to 4.1.1 across all paths, .iyarc cleanup is correct.
Approving the changes

@danielpeng1 danielpeng1 merged commit 93f08ea into master Jul 2, 2026
24 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

5 participants