audit-ci.jsonc

{
    // $schema provides code completion hints to IDEs.
    "$schema": "https://github.com/IBM/audit-ci/raw/main/docs/schema.json",
    "low": true,
    "allowlist": [
        // GHSA-67mh-4wv8-2f99 allows malicious websites to read localhost files while dev server runs.
        // We use VitePress for documentation build and all the information is already publicly available on GitHub Pages.
        // Exposure during local development doesn't leak confidential information.
        // This issue affects only the dev server. Production/CI builds are unaffected.
        //
        // Fix is available in VitePress 2.x with esbuild v0.25.x, but no stable release yet (only alpha).
        "GHSA-67mh-4wv8-2f99|vitepress>vite>esbuild",

        // GHSA-4w7w-66w2-5vf9 is a path traversal in Vite's dev server allowing .map file reads outside
        // the project root when the server is network-exposed (--host).
        // Not a risk here: the dev server is only used locally (never exposed to the network) and all
        // documentation content is already publicly available on GitHub Pages.
        // This issue affects only the dev server. Production/CI builds are unaffected.
        //
        // No fix available for Vite 5.x; patches exist only for Vite >= 6.4.2.
        // A fix would require upgrading to VitePress 2.x (which depends on Vite 6+), but no stable release yet.
        "GHSA-4w7w-66w2-5vf9|vitepress>vite",

        // GHSA-w5hq-g745-h8pq: uuid v3/v5/v6 fail to validate output buffer bounds, allowing silent
        // partial writes. Not a risk here: istanbul-lib-processinfo only uses uuid.v4() (which is
        // unaffected) and nyc is a dev-only test coverage tool — no untrusted input reaches uuid.
        //
        // Fixed in uuid >= 14.0.0, but nyc's dependency chain pins uuid 8.x.
        // Upgrading nyc to 18.x to pick up the fix.
        "GHSA-w5hq-g745-h8pq|nyc>istanbul-lib-processinfo>uuid"
    ]
}