From 6b6f5fed2e2a46fccf33b3cca859ec325595a7a5 Mon Sep 17 00:00:00 2001 From: Manoj Kumar Date: Wed, 13 May 2026 00:00:42 +0530 Subject: [PATCH] fix(root): exclude unpatched protobufjs advisories from audit Add GHSA-66ff-xgx4-vchm and GHSA-75px-5xx7-5xc7 to .iyarc exclusion list. Both affect protobufjs <= 7.5.5 with no patched version available yet. Transitive deps via @cosmjs; all protobuf definitions are static trusted files, not user-supplied. CECHO-973 Co-Authored-By: Claude Opus 4.6 --- .iyarc | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/.iyarc b/.iyarc index 1291fb74df..c620784858 100644 --- a/.iyarc +++ b/.iyarc @@ -87,3 +87,21 @@ GHSA-xq3m-2v4x-88gg # project are controlled internal endpoints, not user-supplied FTP URLs # - Pinned at 5.2.2 in root resolutions; upstream get-uri has not yet updated to require 5.3.0 GHSA-rp42-5vxx-qpwr + +# Excluded because: +# - Code injection through bytes field defaults in generated toObject code (severity: high) +# - Affects protobufjs <= 7.5.5; no patched version available yet (first_patched_version: null) +# - Transitive dependency through @cosmjs/proto-signing, @cosmjs/stargate, @confio/ics23 +# - Exploitation requires attacker-controlled protobuf definitions; all definitions in this +# repo are static files bundled within trusted upstream dependencies — not user-supplied +# - Published 2026-05-12; will bump once a patched version is released +GHSA-66ff-xgx4-vchm + +# Excluded because: +# - Code generation gadget after prototype pollution (severity: high) +# - Affects protobufjs <= 7.5.5; no patched version available yet (first_patched_version: null) +# - Same transitive dependency chain as GHSA-66ff-xgx4-vchm (@cosmjs, @confio/ics23) +# - Requires prototype pollution as a prerequisite; no known prototype pollution vectors exist +# in this repo's dependency tree +# - Published 2026-05-12; will bump once a patched version is released +GHSA-75px-5xx7-5xc7