diff options
| -rw-r--r-- | desktop/osv-scanner.toml | 2 | ||||
| -rw-r--r-- | osv-scanner.toml | 3 |
2 files changed, 3 insertions, 2 deletions
diff --git a/desktop/osv-scanner.toml b/desktop/osv-scanner.toml index b44ff638b6..2109a3ba66 100644 --- a/desktop/osv-scanner.toml +++ b/desktop/osv-scanner.toml @@ -21,7 +21,7 @@ reason = "This is just a dev dependency, and we don't have untrusted input to mi # node-gettext: Prototype Pullution via the addTranslations function [[IgnoredVulns]] id = "CVE-2024-21528" # GHSA-g974-hxvm-x689 -ignoreUntil = 2025-10-17 +ignoreUntil = 2026-04-16 # The vulnerability is ignored for 6 months as the affected library is not receiving updates and we can not patch the vulnerability without migrating to another library, which is no minor feat. reason = "There is no fix yet and we don't send untrusted input to the first argument of addTranslations" # electron: Electron has ASAR Integrity Bypass via resource modification diff --git a/osv-scanner.toml b/osv-scanner.toml index 7df9f816d2..45da8629c2 100644 --- a/osv-scanner.toml +++ b/osv-scanner.toml @@ -20,7 +20,8 @@ # and `effectiveUntil` for `PackageOverrides` entries. # * The default should be to ignore a vulnerability for three months. # * A vulnerability can be ignored for up to a year at most (Use extremely sparsely). -# * If anything above three months is used, write a short comment about why this ignore is longer. +# * If anything above three months is used, write a short comment about why this ignore is longer, +# and add it as a comment after the `ignoreUntil` line for the entry. # # Every entry must have a `reason` field that explains why this vulnerability does not affect us, # and why we can't/decided not to change to an unaffected version. |
