From 2d2cb2b270387773e605dce9d014d0986dbb8bed Mon Sep 17 00:00:00 2001
From: Juan Correa <gibaros@users.noreply.github.com>
Date: Wed, 18 Feb 2026 10:39:56 -0500
Subject: [PATCH] fix: remove incorrectly allowlisted GHSA-38c4-r59v-3vqw from
 audit-ci
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- Removed GHSA-38c4-r59v-3vqw (markdown-it ReDoS) from allowlist — already
  on fixed version 14.1.1 via typedoc, was never actually vulnerable
- GHSA-2g4f-4pwh-qvx6 (ajv ReDoS) remains allowlisted — eslint 9's
  @eslint/eslintrc uses ajv 6.x API internally, override to 8.x crashes eslint

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 audit-ci.jsonc | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/audit-ci.jsonc b/audit-ci.jsonc
index 28ac9d5..f391fc3 100644
--- a/audit-ci.jsonc
+++ b/audit-ci.jsonc
@@ -4,7 +4,6 @@
   // Only use one of ["low": true, "moderate": true, "high": true, "critical": true]
   "moderate": true,
   "allowlist": [ // NOTE: Please add as much information as possible to any items added to the allowList
-    "GHSA-38c4-r59v-3vqw",
-    "GHSA-2g4f-4pwh-qvx6" // ajv ReDoS with $data option - transitive via eslint, unfixable without eslint 10.x
+    "GHSA-2g4f-4pwh-qvx6" // ajv ReDoS - transitive via eslint 9's @eslint/eslintrc (uses ajv 6.x API, override to 8.x crashes eslint)
   ]
 }