-
Notifications
You must be signed in to change notification settings - Fork 302
Expand file tree
/
Copy path.iyarc
More file actions
58 lines (50 loc) · 2.75 KB
/
.iyarc
File metadata and controls
58 lines (50 loc) · 2.75 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
# Excluded because:
# - Lerna requires tar v6, but no patched v6 exists (fix only in v7.5.3)
# - Forcing tar v7.5.3 breaks lerna's packDirectory API
# - This CVE affects archive EXTRACTION (unpacking malicious symlinks/hardlinks)
# - Lerna only uses tar for PACKING
GHSA-8qq5-rm4j-mr97
# Excluded because:
# - Transitive dependency through lerna and yeoman-generator, which currently pin tar to a
# < 7.5.4 range; We only use their tar integration for
# archive PACKING, not extraction,
GHSA-r6q2-hw4h-h46w
# Excluded because:
# - Transitive dependency through lerna and yeoman-generator requiring tar < 7.5.4
# - This CVE affects tar's extraction process with specially crafted archives
# - Our usage is limited to archive PACKING operations only, not extraction
GHSA-34x7-hfp2-rc4v
# Excluded because:
# - Transitive dependency through lerna, depcheck, glob, mocha, yeoman-generator
# - minimatch 10.x introduces breaking API changes incompatible with lerna v9.0.0
# - This CVE (ReDoS in minimatch <10.2.1) affects glob pattern matching with repeated wildcards
# - Our usage is dev-time tooling only (build, test, file search)
# - Mitigated by controlled inputs (our own build scripts, not user-provided patterns)
GHSA-3ppc-4f35-3m26
# Excluded because:
# - Transitive dependency through lerna and yeoman-generator requiring tar < 7.5.4
# - This CVE affects tar's extraction process with specially crafted archives
# - Our usage is limited to archive PACKING operations only, not extraction
GHSA-83g3-92jg-28cx
# Excluded because:
# - Transitive dependency through lerna, depcheck, nyc, eslint, yeoman-generator, glob, shelljs
# - minimatch ReDoS via crafted glob patterns (same class as GHSA-3ppc-4f35-3m26)
# - Only affects dev-time tooling, not production code
GHSA-7r86-cg39-jmmj
# Excluded because:
# - Transitive dependency through lerna, depcheck, nyc, eslint, yeoman-generator, glob, shelljs
# - minimatch ReDoS via crafted glob patterns (same class as GHSA-3ppc-4f35-3m26)
# - Only affects dev-time tooling, not production code
# - Mitigated by controlled inputs (our own build scripts, not user-provided patterns)
GHSA-23c5-xmqv-rm74
# Excluded because:
# - Transitive devDependency through mocha, terser-webpack-plugin, copy-webpack-plugin
# - serialize-javascript RCE via malicious RegExp.flags and Date.prototype.toISOString()
# - Only affects dev-time tooling, not production code
GHSA-5c6j-r48x-rmvq
# Excluded because:
# - Transitive dependency through lerna and yeoman-generator requiring tar < 7.5.7
# - This CVE affects tar's extraction process (hardlink path traversal in crafted archives)
# - Our usage is limited to archive PACKING operations only, not extraction
# - Forcing tar v7.5.7+ breaks lerna's packDirectory API (same constraint as GHSA-8qq5-rm4j-mr97)
GHSA-qffp-2rhf-9h96