doc: Explain reasoning behind adding an entry into allowlist

d3xter666 · d3xter666 · commit bdd2d85255e9 · 2025-12-01T10:40:15.000+02:00
diff --git a/audit-ci.jsonc b/audit-ci.jsonc
@@ -3,8 +3,14 @@
     "$schema": "https://github.com/IBM/audit-ci/raw/main/docs/schema.json",
     "low": true,
     "allowlist": [
-        // Transitive dependency in vitepress (dev-only, documentation tool).
-        // Cannot be fixed until upstream vite updates esbuild. Excluded to avoid scan noise.
+        // GHSA-67mh-4wv8-2f99: esbuild CORS vulnerability in VitePress dev server
+        // Allows malicious websites to read localhost files while dev server runs.
+        // We use dev server only in local development and we do a build (which is not affected)
+        // when deploying. The issue is solved with esbuild v0.25.x that is a dependency of VitePress 2 alpha.
+        // There seems to be no plans for updating VitePress 1.x to use a fixed esbuild version and also
+        // there's still no stable VitePress 2 release, so we allowlist this issue for now.
+        // TODO: Update to VitePress 2 once stable and remove this allowlist entry.
+        // Update to VitePress 2 alpha is feasible without an impact of the build output.
         "GHSA-67mh-4wv8-2f99|vitepress>vite>esbuild"
     ]
 }
