S3UTILS-222: allow low-severity aws-sdk v2 advisory in dependency review

nicolas2bert · nicolas2bert · commit e0af0fa22308 · 2026-03-03T17:47:41.000+01:00
Add GHSA-j965-2qgj-vjmq to the allow list since aws-sdk v2 is intentionally used as a devDependency for vault container compatibility. Also add /root/buckets-with-replication.json to step 8 cleanup.
diff --git a/.github/workflows/dependency-review.yaml b/.github/workflows/dependency-review.yaml
@@ -14,3 +14,10 @@ jobs:
 
       - name: 'Dependency Review'
         uses: actions/dependency-review-action@v4
+        with:
+          # aws-sdk v2 is intentionally used as a devDependency because the
+          # fix-missing-replication-permissions script runs inside the vault
+          # container of older S3C versions (pre-9.5.2) where only v2 is
+          # available. This low-severity advisory is informational (no patch
+          # exists, v2 is end-of-life).
+          allow-ghsas: GHSA-j965-2qgj-vjmq
