frontend-monorepo/osv-scanner.toml at main · mento-protocol/frontend-monorepo · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
[[IgnoredVulns]]
id = "GHSA-ffrw-9mx8-89p8"
reason = "There is no fix for this vulnerability and it's only low risk"

[[IgnoredVulns]]
id = "GHSA-43fc-jf86-j433"
reason = "axios vulnerability is in transitive deps (wormhole-connect); no direct fix available"

[[IgnoredVulns]]
id = "GHSA-4hjh-wcwx-xvwj"
reason = "axios vulnerability is in transitive deps (wormhole-connect); no direct fix available"

[[IgnoredVulns]]
id = "GHSA-3gc7-fjrx-p6mg"
reason = "bigint-buffer vulnerability is in transitive deps; no direct fix available"

[[IgnoredVulns]]
id = "GHSA-vqpr-j7v3-hqw9"
reason = "valibot ReDoS vulnerability is in transitive deps; no direct fix available"

[[IgnoredVulns]]
id = "GHSA-5f7q-jpqc-wp7h"
reason = "Next.js PPR vulnerability; pre-existing, not related to bridge changes"

[[IgnoredVulns]]
id = "GHSA-2g4f-4pwh-qvx6"
ignoreUntil = 2026-04-19
reason = "ajv 6.12.6 — fix only in 8.18.0 (major version jump); no 6.x patch available"

[[IgnoredVulns]]
id = "GHSA-378v-28hj-76wf"
reason = "bn.js infinite loop in transitive deps; pre-existing"

[[IgnoredVulns]]
id = "GHSA-848j-6mx2-7j84"
ignoreUntil = 2026-04-19
reason = "elliptic 6.6.1 — no patched version released by maintainer"

[[IgnoredVulns]]
id = "GHSA-23c5-xmqv-rm74"
reason = "minimatch ReDoS in transitive deps; pre-existing"

[[IgnoredVulns]]
id = "GHSA-3ppc-4f35-3m26"
reason = "minimatch ReDoS in transitive deps; pre-existing"

[[IgnoredVulns]]
id = "GHSA-7r86-cg39-jmmj"
reason = "minimatch ReDoS in transitive deps; pre-existing"

[[IgnoredVulns]]
id = "GHSA-xxjr-mmjv-4gpg"
# Prototype Pollution vulnerability in lodash _.unset and _.omit functions
# lodash 4.17.21 is the latest version and is a transitive dependency of @metamask/utils
# TODO: Remove this ignore once lodash releases a patched version
ignoreUntil = 2026-02-22T00:00:00Z
reason = "No fix available - lodash 4.17.21 is the latest version. Transitive dependency from @metamask/utils."

[[IgnoredVulns]]
id = "GHSA-3x4c-7xq6-9pq8"
reason = "Next.js unbounded image cache growth; 15.5.13 is latest stable, no fix available yet"