summaryrefslogtreecommitdiffhomepage
diff options
context:
space:
mode:
-rw-r--r--desktop/osv-scanner.toml2
-rw-r--r--osv-scanner.toml3
2 files changed, 3 insertions, 2 deletions
diff --git a/desktop/osv-scanner.toml b/desktop/osv-scanner.toml
index b44ff638b6..2109a3ba66 100644
--- a/desktop/osv-scanner.toml
+++ b/desktop/osv-scanner.toml
@@ -21,7 +21,7 @@ reason = "This is just a dev dependency, and we don't have untrusted input to mi
# node-gettext: Prototype Pullution via the addTranslations function
[[IgnoredVulns]]
id = "CVE-2024-21528" # GHSA-g974-hxvm-x689
-ignoreUntil = 2025-10-17
+ignoreUntil = 2026-04-16 # The vulnerability is ignored for 6 months as the affected library is not receiving updates and we can not patch the vulnerability without migrating to another library, which is no minor feat.
reason = "There is no fix yet and we don't send untrusted input to the first argument of addTranslations"
# electron: Electron has ASAR Integrity Bypass via resource modification
diff --git a/osv-scanner.toml b/osv-scanner.toml
index 7df9f816d2..45da8629c2 100644
--- a/osv-scanner.toml
+++ b/osv-scanner.toml
@@ -20,7 +20,8 @@
# and `effectiveUntil` for `PackageOverrides` entries.
# * The default should be to ignore a vulnerability for three months.
# * A vulnerability can be ignored for up to a year at most (Use extremely sparsely).
-# * If anything above three months is used, write a short comment about why this ignore is longer.
+# * If anything above three months is used, write a short comment about why this ignore is longer,
+# and add it as a comment after the `ignoreUntil` line for the entry.
#
# Every entry must have a `reason` field that explains why this vulnerability does not affect us,
# and why we can't/decided not to change to an unaffected version.