-
Notifications
You must be signed in to change notification settings - Fork 302
Expand file tree
/
Copy path.iyarc
More file actions
89 lines (78 loc) · 4.64 KB
/
.iyarc
File metadata and controls
89 lines (78 loc) · 4.64 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
# Excluded because:
# - Lerna requires tar v6, but no patched v6 exists (fix only in v7.5.3)
# - Forcing tar v7.5.3 breaks lerna's packDirectory API
# - This CVE affects archive EXTRACTION (unpacking malicious symlinks/hardlinks)
# - Lerna only uses tar for PACKING
GHSA-8qq5-rm4j-mr97
# Excluded because:
# - Transitive dependency through lerna and yeoman-generator, which currently pin tar to a
# < 7.5.4 range; We only use their tar integration for
# archive PACKING, not extraction,
GHSA-r6q2-hw4h-h46w
# Excluded because:
# - Transitive dependency through lerna and yeoman-generator requiring tar < 7.5.4
# - This CVE affects tar's extraction process with specially crafted archives
# - Our usage is limited to archive PACKING operations only, not extraction
GHSA-34x7-hfp2-rc4v
# Excluded because:
# - Transitive dependency through lerna, depcheck, glob, mocha, yeoman-generator
# - minimatch 10.x introduces breaking API changes incompatible with lerna v9.0.0
# - This CVE (ReDoS in minimatch <10.2.1) affects glob pattern matching with repeated wildcards
# - Our usage is dev-time tooling only (build, test, file search)
# - Mitigated by controlled inputs (our own build scripts, not user-provided patterns)
GHSA-3ppc-4f35-3m26
# Excluded because:
# - Transitive dependency through lerna and yeoman-generator requiring tar < 7.5.4
# - This CVE affects tar's extraction process with specially crafted archives
# - Our usage is limited to archive PACKING operations only, not extraction
GHSA-83g3-92jg-28cx
# Excluded because:
# - Transitive dependency through lerna, depcheck, nyc, eslint, yeoman-generator, glob, shelljs
# - minimatch ReDoS via crafted glob patterns (same class as GHSA-3ppc-4f35-3m26)
# - Only affects dev-time tooling, not production code
GHSA-7r86-cg39-jmmj
# Excluded because:
# - Transitive dependency through lerna, depcheck, nyc, eslint, yeoman-generator, glob, shelljs
# - minimatch ReDoS via crafted glob patterns (same class as GHSA-3ppc-4f35-3m26)
# - Only affects dev-time tooling, not production code
# - Mitigated by controlled inputs (our own build scripts, not user-provided patterns)
GHSA-23c5-xmqv-rm74
# Excluded because:
# - Transitive dependency through lerna and yeoman-generator requiring tar < 7.5.7
# - This CVE affects tar's extraction process (hardlink path traversal in crafted archives)
# - Our usage is limited to archive PACKING operations only, not extraction
# - Forcing tar v7.5.7+ breaks lerna's packDirectory API (same constraint as GHSA-8qq5-rm4j-mr97)
GHSA-qffp-2rhf-9h96
# Excluded because:
# - Same risk profile as existing tar exclusions: CVE affects archive extraction (unpacking malicious archives)
# - We only use tar for packing; low risk in terms of exploitability
# - Security exception approved
GHSA-9ppj-qmqm-q256
# Excluded because:
# - CVE-2026-4258: missing point-on-curve validation in sjcl.ecc.basicKey.publicKey()
# - Transitive dependency via @bitgo/abstract-lightning > macaroon > sjcl
# - The vulnerability is in sjcl.ecc (ECDH invalid-curve attack); macaroon only uses
# sjcl.codec, sjcl.bitArray, sjcl.misc.hmac, and sjcl.hash.sha256 — no ECC operations
# - Additionally, @bitgo/sjcl (our fork) does not include sjcl.ecc at all
# - Resolved sjcl -> npm:@bitgo/sjcl@1.0.1 in root resolutions; sjcl.ecc is absent at runtime
# - No patched version of sjcl exists upstream (first_patched_version: null)
GHSA-2w8x-224x-785m
# Excluded because:
# - Arbitrary code execution in protobufjs via malicious protobuf definition files (severity: critical)
# - Affects protobufjs < 7.5.5; installed versions: 6.11.4 (@cosmjs/stargate), 7.2.5 (@hashgraph/sdk,
# sdk-coin-islm, sdk-coin-trx, sdk-coin-hbar), 7.5.4 (abstract-cosmos, sdk-coin-icp)
# - Exploitation requires attacker-controlled .proto definition files; all protobuf definitions in this
# repo are static files bundled within trusted upstream dependencies — not user-supplied
# - Versions 6.11.4 and 7.2.5 are pinned by upstream deps (@cosmjs ~6.11.x, @hashgraph/sdk 7.2.5)
# that do not yet support 7.5.5
GHSA-xq3m-2v4x-88gg
# Excluded because:
# - DoS via memory exhaustion in basic-ftp <= 5.2.2 (severity: high, CVSS 7.5)
# - Client.list() buffers entire directory listings without size limits; a malicious FTP server
# can send unbounded data to exhaust client memory
# - Transitive dependency through pac-proxy-agent > get-uri > basic-ftp; used for PAC-based
# proxy resolution, not direct FTP operations
# - Exploitation requires connecting to a malicious FTP server; all proxy targets in this
# project are controlled internal endpoints, not user-supplied FTP URLs
# - Pinned at 5.2.2 in root resolutions; upstream get-uri has not yet updated to require 5.3.0
GHSA-rp42-5vxx-qpwr