From 7098d30769f322d39daef247ccfa527458bff50b Mon Sep 17 00:00:00 2001 From: Pranav Jain Date: Thu, 14 May 2026 16:32:49 -0400 Subject: [PATCH] chore: update audit exclusions for sanitize-html XSS Remove stale exclusions GHSA-xq3m-2v4x-88gg and GHSA-rp42-5vxx-qpwr which are no longer reported by yarn audit. Add GHSA-rpr9-rxv7-x643 (sanitize-html xmp XSS, CVE-2026-44990, no upstream fix yet); our usage strips all tags with allowedTags: [] and outputs plain text in error messages, so there is no DOM rendering path. Ticket: WCN-565 --- .iyarc | 26 +++++++------------------- 1 file changed, 7 insertions(+), 19 deletions(-) diff --git a/.iyarc b/.iyarc index 1291fb74df..6e388ef3ce 100644 --- a/.iyarc +++ b/.iyarc @@ -68,22 +68,10 @@ GHSA-9ppj-qmqm-q256 GHSA-2w8x-224x-785m # Excluded because: -# - Arbitrary code execution in protobufjs via malicious protobuf definition files (severity: critical) -# - Affects protobufjs < 7.5.5; installed versions: 6.11.4 (@cosmjs/stargate), 7.2.5 (@hashgraph/sdk, -# sdk-coin-islm, sdk-coin-trx, sdk-coin-hbar), 7.5.4 (abstract-cosmos, sdk-coin-icp) -# - Exploitation requires attacker-controlled .proto definition files; all protobuf definitions in this -# repo are static files bundled within trusted upstream dependencies — not user-supplied -# - Versions 6.11.4 and 7.2.5 are pinned by upstream deps (@cosmjs ~6.11.x, @hashgraph/sdk 7.2.5) -# that do not yet support 7.5.5 -GHSA-xq3m-2v4x-88gg - -# Excluded because: -# - DoS via memory exhaustion in basic-ftp <= 5.2.2 (severity: high, CVSS 7.5) -# - Client.list() buffers entire directory listings without size limits; a malicious FTP server -# can send unbounded data to exhaust client memory -# - Transitive dependency through pac-proxy-agent > get-uri > basic-ftp; used for PAC-based -# proxy resolution, not direct FTP operations -# - Exploitation requires connecting to a malicious FTP server; all proxy targets in this -# project are controlled internal endpoints, not user-supplied FTP URLs -# - Pinned at 5.2.2 in root resolutions; upstream get-uri has not yet updated to require 5.3.0 -GHSA-rp42-5vxx-qpwr +# - XSS via xmp raw-text passthrough in sanitize-html (severity: critical, CVE-2026-44990) +# - patched_versions: "<0.0.0" — no upstream fix exists yet +# - Used in @bitgo/sdk-api to strip all HTML from API error response text (allowedTags: []) +# - Output is appended to a JavaScript error string server-side, never rendered as HTML in a browser +# - The xmp bypass produces live HTML markup in output, but since we discard all tags and use +# the result as plain text in Error messages, there is no DOM rendering path and no XSS risk +GHSA-rpr9-rxv7-x643