From dedee4e6caeabf603ad5b66f0ac1a0b299267006 Mon Sep 17 00:00:00 2001
From: Sandeep <sandeep.sujitha@gmail.com>
Date: Fri, 6 Mar 2026 18:55:56 +0530
Subject: [PATCH] Add .trivyignore for npm-bundled CVEs pending upstream fix
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

CVE-2026-27903, CVE-2026-27904 (minimatch) and CVE-2026-29786 (tar) are
present in packages bundled inside npm itself, not in our application
dependencies. They cannot be resolved by updating package.json — a fix
requires a new npm release.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 .trivyignore | 13 +++++++++++++
 1 file changed, 13 insertions(+)
 create mode 100644 .trivyignore

diff --git a/.trivyignore b/.trivyignore
new file mode 100644
index 0000000..6e87008
--- /dev/null
+++ b/.trivyignore
@@ -0,0 +1,13 @@
+# CVE-2026-27903: minimatch - DoS via unbounded recursive backtracking in glob patterns
+# CVE-2026-27904: minimatch - DoS via catastrophic backtracking in glob expressions
+# CVE-2026-29786: tar - Hardlink path traversal via drive-relative linkpath
+#
+# These vulnerabilities exist in packages bundled within npm itself (not in our application
+# dependencies). They cannot be resolved by updating our own package.json — a fix requires
+# a new npm release that ships patched versions of minimatch and tar internally.
+#
+# TODO: Remove these ignores once a fixed version of npm is available and deployed in the
+# base image. Track the npm release notes for minimatch >= <fixed-version> and tar >= <fixed-version>.
+CVE-2026-27903
+CVE-2026-27904
+CVE-2026-29786