diff --git a/.iyarc b/.iyarc
index 19ab0f6f42..0f9d12217f 100644
--- a/.iyarc
+++ b/.iyarc
@@ -82,3 +82,36 @@ GHSA-rpr9-rxv7-x643
 # - esbuild is a dev-time build tool (via babylonlabs-io-btc-staking-ts), not runtime production code
 # - The attacker-controlled NPM_CONFIG_REGISTRY vector does not apply to our controlled CI environment
 GHSA-gv7w-rqvm-qjhr
+
+# Excluded because:
+# - ws: Memory exhaustion DoS by sending many tiny fragments/data chunks to exhaust server memory
+# - Transitive dependency via @cosmjs/socket, @ethersproject/providers, @polkadot/rpc-provider,
+#   jayson, rpc-websockets (via @solana/web3.js), and avalanche — all requiring ws <8.21.0
+# - Our usage is exclusively as a WebSocket CLIENT for blockchain RPC connections, not as a server
+# - The DoS vector requires an attacker to send crafted frames to a ws server we control; we do not
+#   expose any ws server surfaces in production
+GHSA-96hv-2xvq-fx4p
+
+# Excluded because:
+# - form-data: CRLF injection via unescaped multipart field names and filenames
+# - Transitive dependency via superagent (abstract-cosmos, express, supertest) and @aptos-labs/ts-sdk
+# - The injection requires attacker-controlled field names or filenames in multipart requests
+# - All form-data field names and filenames in our codebase are code-controlled constants,
+#   not derived from user input — no untrusted data flows into form field names or filenames
+GHSA-hmw2-7cc7-3qxx
+
+# Excluded because:
+# - protobufjs: DoS through unbounded Any expansion during JSON conversion (parseAny recursion)
+# - Transitive dependency via @cosmjs (abstract-cosmos, babylonlabs-io-btc-staking-ts) and
+#   @hashgraph/proto, @hashgraph/sdk (sdk-coin-hbar) — all requiring protobufjs <=7.5.x
+# - Input to protobuf decoding comes from trusted blockchain RPC responses, not arbitrary user data
+# - Patched version (7.6.1) requires upstream @cosmjs and @hashgraph dependency updates
+GHSA-wcpc-wj8m-hjx6
+
+# Excluded because:
+# - tmp: path traversal via type-confusion in _assertPath (non-string prefix/postfix/template)
+# - Transitive dependency via cypress (web-demo), karma (bitgo module), and lerna/nx (dev tooling)
+# - All usages are dev-time only; tmp is never used in production or runtime code
+# - The prefix/postfix/template args are all hard-coded string constants in calling code,
+#   not user-supplied — the type-confusion vector does not apply
+GHSA-7c78-jf6q-g5cm