Skip to content

Commit 03a8076

Browse files
RandomByteRandomByte
committed
ci(github-actions): Update vuln allowlist for audit-ci
Allow tar findings, remove resolved findings
1 parent e27f626 commit 03a8076

1 file changed

Lines changed: 15 additions & 11 deletions

File tree

audit-ci.jsonc

Lines changed: 15 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -11,16 +11,20 @@
1111
// Fix is available in VitePress 2.x with esbuild v0.25.x, but no stable release yet (only alpha).
1212
"GHSA-67mh-4wv8-2f99|vitepress>vite>esbuild",
1313

14-
// We fix this vulnerability in the production code by overrides for the production build,
15-
// but the vulnerable version of minimatch is still used in development dependencies.
16-
// The reasoning is that it's a transitive dependency with a version that way bellow the fixed one (v3 vs v10) and
17-
// overriding such a version will break the development environment.
18-
"GHSA-3ppc-4f35-3m26|@eslint/eslintrc>minimatch>",
19-
"GHSA-3ppc-4f35-3m26|@istanbuljs/esm-loader-hook>test-exclude>minimatch",
20-
"GHSA-3ppc-4f35-3m26|babel-plugin-istanbul>test-exclude>minimatch",
21-
"GHSA-3ppc-4f35-3m26|eslint>@eslint/config-array>minimatch",
22-
"GHSA-3ppc-4f35-3m26|js-beautify>editorconfig>minimatch",
23-
"GHSA-3ppc-4f35-3m26|minimatch>",
24-
"GHSA-3ppc-4f35-3m26|nyc>test-exclude>minimatch",
14+
// None of the tar vulnerabilities listed below can be exploited in the context of UI5 CLI.
15+
// All archives handled by UI5 CLI are provided by SAP and hosted on the npm registry, hence
16+
// they are seen as trusted sources.
17+
// We nevertheless upgraded the tar dependency to the fixed version using overwrites in the package.json.
18+
// This only affects productive dependencies though, not development dependencies.
19+
"GHSA-34x7-hfp2-rc4v|@npmcli/metavuln-calculator>pacote>tar>",
20+
"GHSA-34x7-hfp2-rc4v|licensee>@npmcli/arborist>pacote>tar",
21+
"GHSA-83g3-92jg-28cx|@npmcli/metavuln-calculator>pacote>tar>",
22+
"GHSA-83g3-92jg-28cx|licensee>@npmcli/arborist>pacote>tar",
23+
"GHSA-8qq5-rm4j-mr97|@npmcli/metavuln-calculator>pacote>tar>",
24+
"GHSA-8qq5-rm4j-mr97|licensee>@npmcli/arborist>pacote>tar",
25+
"GHSA-qffp-2rhf-9h96|@npmcli/metavuln-calculator>pacote>tar>",
26+
"GHSA-qffp-2rhf-9h96|licensee>@npmcli/arborist>pacote>tar",
27+
"GHSA-r6q2-hw4h-h46w|@npmcli/metavuln-calculator>pacote>tar>",
28+
"GHSA-r6q2-hw4h-h46w|licensee>@npmcli/arborist>pacote>tar",
2529
]
2630
}

0 commit comments

Comments
 (0)