-
Notifications
You must be signed in to change notification settings - Fork 77
Expand file tree
/
Copy pathaudit-ci.jsonc
More file actions
30 lines (29 loc) · 1.85 KB
/
audit-ci.jsonc
File metadata and controls
30 lines (29 loc) · 1.85 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
{
// $schema provides code completion hints to IDEs.
"$schema": "https://github.com/IBM/audit-ci/raw/main/docs/schema.json",
"low": true,
"allowlist": [
// GHSA-67mh-4wv8-2f99 allows malicious websites to read localhost files while dev server runs.
// We use VitePress for documentation build and all the information is already publicly available on GitHub Pages.
// Exposure during local development doesn't leak confidential information.
// This issue affects only the dev server. Production/CI builds are unaffected.
//
// Fix is available in VitePress 2.x with esbuild v0.25.x, but no stable release yet (only alpha).
"GHSA-67mh-4wv8-2f99|vitepress>vite>esbuild",
// None of the tar vulnerabilities listed below can be exploited in the context of UI5 CLI.
// All archives handled by UI5 CLI are provided by SAP and hosted on the npm registry, hence
// they are seen as trusted sources.
// We nevertheless upgraded the tar dependency to the fixed version using overwrites in the package.json.
// This only affects productive dependencies though, not development dependencies.
"GHSA-34x7-hfp2-rc4v|@npmcli/metavuln-calculator>pacote>tar>",
"GHSA-34x7-hfp2-rc4v|licensee>@npmcli/arborist>pacote>tar",
"GHSA-83g3-92jg-28cx|@npmcli/metavuln-calculator>pacote>tar>",
"GHSA-83g3-92jg-28cx|licensee>@npmcli/arborist>pacote>tar",
"GHSA-8qq5-rm4j-mr97|@npmcli/metavuln-calculator>pacote>tar>",
"GHSA-8qq5-rm4j-mr97|licensee>@npmcli/arborist>pacote>tar",
"GHSA-qffp-2rhf-9h96|@npmcli/metavuln-calculator>pacote>tar>",
"GHSA-qffp-2rhf-9h96|licensee>@npmcli/arborist>pacote>tar",
"GHSA-r6q2-hw4h-h46w|@npmcli/metavuln-calculator>pacote>tar>",
"GHSA-r6q2-hw4h-h46w|licensee>@npmcli/arborist>pacote>tar",
]
}