Add .trivyignore for npm-bundled CVEs pending upstream fix

SandeepSamba · claude · SandeepSamba · commit dedee4e6caea · 2026-03-06T18:55:56.000+05:30
CVE-2026-27903, CVE-2026-27904 (minimatch) and CVE-2026-29786 (tar) are present in packages bundled inside npm itself, not in our application dependencies. They cannot be resolved by updating package.json — a fix requires a new npm release. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
diff --git a/.trivyignore b/.trivyignore
@@ -0,0 +1,13 @@
+# CVE-2026-27903: minimatch - DoS via unbounded recursive backtracking in glob patterns
+# CVE-2026-27904: minimatch - DoS via catastrophic backtracking in glob expressions
+# CVE-2026-29786: tar - Hardlink path traversal via drive-relative linkpath
+#
+# These vulnerabilities exist in packages bundled within npm itself (not in our application
+# dependencies). They cannot be resolved by updating our own package.json — a fix requires
+# a new npm release that ships patched versions of minimatch and tar internally.
+#
+# TODO: Remove these ignores once a fixed version of npm is available and deployed in the
+# base image. Track the npm release notes for minimatch >= <fixed-version> and tar >= <fixed-version>.
+CVE-2026-27903
+CVE-2026-27904
+CVE-2026-29786
