From 1a90f5c978d2c90f2f296d9813d085b3855cd5e5 Mon Sep 17 00:00:00 2001
From: Lokesh Chandra <lokeshchandra956@bitgo.com>
Date: Thu, 5 Mar 2026 13:28:34 +0530
Subject: [PATCH] fix(root): exclude tar vulnerability

Ticket: WP-8127
---
 .iyarc | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/.iyarc b/.iyarc
index 73d9afe3ae..c9ba2bf4ca 100644
--- a/.iyarc
+++ b/.iyarc
@@ -49,3 +49,10 @@ GHSA-23c5-xmqv-rm74
 # - serialize-javascript RCE via malicious RegExp.flags and Date.prototype.toISOString()
 # - Only affects dev-time tooling, not production code
 GHSA-5c6j-r48x-rmvq
+
+# Excluded because:
+# - Transitive dependency through lerna and yeoman-generator requiring tar < 7.5.7
+# - This CVE affects tar's extraction process (hardlink path traversal in crafted archives)
+# - Our usage is limited to archive PACKING operations only, not extraction
+# - Forcing tar v7.5.7+ breaks lerna's packDirectory API (same constraint as GHSA-8qq5-rm4j-mr97)
+GHSA-qffp-2rhf-9h96