Skip to content

feat: add exclusions for new CVEs affecting dependencies and clarify usage context #9029

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
mohd-kashif merged 1 commit into from
Jun 15, 2026
+33 −0
Merged

feat: add exclusions for new CVEs affecting dependencies and clarify usage context #9029

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
33 changes: 33 additions & 0 deletions .iyarc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -82,3 +82,36 @@ GHSA-rpr9-rxv7-x643
# - esbuild is a dev-time build tool (via babylonlabs-io-btc-staking-ts), not runtime production code
# - The attacker-controlled NPM_CONFIG_REGISTRY vector does not apply to our controlled CI environment
GHSA-gv7w-rqvm-qjhr

# Excluded because:
# - ws: Memory exhaustion DoS by sending many tiny fragments/data chunks to exhaust server memory
# - Transitive dependency via @cosmjs/socket, @ethersproject/providers, @polkadot/rpc-provider,
# jayson, rpc-websockets (via @solana/web3.js), and avalanche — all requiring ws <8.21.0
# - Our usage is exclusively as a WebSocket CLIENT for blockchain RPC connections, not as a server
# - The DoS vector requires an attacker to send crafted frames to a ws server we control; we do not
# expose any ws server surfaces in production
GHSA-96hv-2xvq-fx4p

# Excluded because:
# - form-data: CRLF injection via unescaped multipart field names and filenames
# - Transitive dependency via superagent (abstract-cosmos, express, supertest) and @aptos-labs/ts-sdk
# - The injection requires attacker-controlled field names or filenames in multipart requests
# - All form-data field names and filenames in our codebase are code-controlled constants,
# not derived from user input — no untrusted data flows into form field names or filenames
GHSA-hmw2-7cc7-3qxx

# Excluded because:
# - protobufjs: DoS through unbounded Any expansion during JSON conversion (parseAny recursion)
# - Transitive dependency via @cosmjs (abstract-cosmos, babylonlabs-io-btc-staking-ts) and
# @hashgraph/proto, @hashgraph/sdk (sdk-coin-hbar) — all requiring protobufjs <=7.5.x
# - Input to protobuf decoding comes from trusted blockchain RPC responses, not arbitrary user data
# - Patched version (7.6.1) requires upstream @cosmjs and @hashgraph dependency updates
GHSA-wcpc-wj8m-hjx6

# Excluded because:
# - tmp: path traversal via type-confusion in _assertPath (non-string prefix/postfix/template)
# - Transitive dependency via cypress (web-demo), karma (bitgo module), and lerna/nx (dev tooling)
# - All usages are dev-time only; tmp is never used in production or runtime code
# - The prefix/postfix/template args are all hard-coded string constants in calling code,
# not user-supplied — the type-confusion vector does not apply
GHSA-7c78-jf6q-g5cm
Loading