-
Notifications
You must be signed in to change notification settings - Fork 48
Expand file tree
/
Copy path.yarn-audit-allowlist.json
More file actions
25 lines (25 loc) · 1.41 KB
/
.yarn-audit-allowlist.json
File metadata and controls
25 lines (25 loc) · 1.41 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
{
"minSeverity": "high",
"allowlist": [
1111997,
1115552,
1116289,
1115805,
1115806,
1116365,
1116473,
1116454,
1116478
],
"notes": {
"1111997": "aws-sdk v2 advisory flagged as 'No patch available' in our current baseline; accepted until migration.",
"1115552": "picomatch advisory introduced after the current lockfile baseline; temporarily allowlisted to restore CI while the transitive dependency upgrade is refreshed explicitly in backend yarn.lock files.",
"1116289": "basic-ftp CRLF injection advisory introduced after the rebased dev baseline; temporarily allowlisted to avoid widening this parity PR into a backend dependency refresh.",
"1115805": "lodash-es _.template advisory (GHSA-r5fr-rjxr-66jc / CVE-2026-4800). Temporary CI allowlist to avoid widening this parity PR into a backend dependency refresh.",
"1115806": "lodash _.template advisory (GHSA-r5fr-rjxr-66jc / CVE-2026-4800). Temporary CI allowlist to avoid widening this parity PR into a backend dependency refresh.",
"1116365": "Axios has a NO_PROXY Hostname Normalization Bypass Leads to SSRF",
"1116473": "Axios has Unrestricted Cloud Metadata Exfiltration via Header Injection Chain",
"1116454": "basic-ftp: Incomplete CRLF Injection Protection Allows Arbitrary FTP Command Execution via Credentials and MKD Commands",
"1116478": "basic-ftp has FTP Command Injection via CRLF"
}
}