osv-scanner.toml

# Entire package ignored since there is a constant stream of newly found regular expression attacks.
# All of these attacks rely on the input being malicious. We only use this package in our trusted
# build environment with trusted inputs.
[[PackageOverrides]]
effectiveUntil = 2026-05-01  # Ignored for 6 months at a time, it is unlikely to be an issue.
ignore = true
name = "rexml"
reason = "The XML payload is generated by Apple tooling which we trust"

# Fastlane uses faraday to send HTTP requests, faraday has a URL parsing
# vulnerability that allows an attacker to craft a URL path that will change
# the authority of a given URI. Thus, accepting user crafted strings that will
# be used as part of the URL path is unsafe.
[[IgnoredVulns]]
id = "CVE-2026-25765"  # GHSA-33mh-2634-fwr2
ignoreUntil = 2026-09-19
reason = "The faraday vulnerability is safe to ignore because fastlane will not accept any user input for the app store URLs"

# A format string injection vulnerability that can lead to denial of service attacks or information
# disclosure when the "allow_duplicate_key: false" parsing option is used to parse user supplied documents.
[[IgnoredVulns]]
id = "CVE-2026-33210"  # GHSA-3m6g-2423-7cp3
ignoreUntil = 2026-09-19
reason = "This option isn't the default, and since we don't opt-in to use it, we are not impacted."

# Addressable has a Regular Expression Denial of Service in Addressable templates.
[[IgnoredVulns]]
id = "CVE-2026-35611"  # GHSA-h27x-rffw-24p4
ignoreUntil = 2026-10-15
reason = "We do not supply any URI:s to fastlane, so we're not affected. Once Fastlane has updated Addressable we can update Fastlane and get rid of this ignore."