From c2637502b7e7b5959a32781e2e1d2ad32d54880d Mon Sep 17 00:00:00 2001 From: Matthias Osswald Date: Thu, 2 Jul 2026 13:25:31 +0200 Subject: [PATCH] [INTERNAL] Update audit allowlist - Drop js-yaml GHSA-h67p-54hq-rp68; already fixed via js-yaml update - Add @sigstore/core GHSA-jfc7-64v2-mr8c and state not exploitable --- audit-ci.jsonc | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/audit-ci.jsonc b/audit-ci.jsonc index d36a2cb1a1e..b457e816a91 100644 --- a/audit-ci.jsonc +++ b/audit-ci.jsonc @@ -3,9 +3,12 @@ "$schema": "https://github.com/IBM/audit-ci/raw/main/docs/schema.json", "low": true, "allowlist": [ - // JS-YAML: Quadratic-complexity DoS in merge key handling via repeated aliases - // This only affects js-yaml within our test dependencies where every YAML file is under our control - // so it is not applicable to our use case. - "GHSA-h67p-54hq-rp68|depcheck>js-yaml" + // @ui5/project uses only pacote.packument(), pacote.manifest(), and pacote.extract() + // with verifySignatures/verifyAttestations left at their default false. + // Neither the vulnerable sigstore.verify() path nor the DSSE preAuthEncoding code is + // reachable through our call sites, so neither advisory is exploitable via @ui5/project. + "GHSA-jfc7-64v2-mr8c|@sigstore/sign>@sigstore/core", + "GHSA-jfc7-64v2-mr8c|@sigstore/verify>@sigstore/core", + "GHSA-jfc7-64v2-mr8c|@ui5/cli>@ui5/project>pacote>sigstore>@sigstore/core" ] }