Skip to content

Feature request: Support ignoring of GHSAs #6838

Closed
#8483
Closed
Feature request: Support ignoring of GHSAs#6838
#8483
Labels
area: audittype: feature
@krichards

Description

@krichards
krichards
opened on Jul 19, 2023

Background

Some audit issues are generated from Github Security Advisories (GHSAs). We should be able to ignore these in the same way that pnpm supports ignoring of CVEs. So either

  • add a new feature ignoreVulnerabilities which can replace the existing ignoreCVEs and cover both CVEs, GHSAs and future sources
  • support ignoring of GHSAs in the the ignoreCves existing configuration

Discussed in https://github.com/orgs/pnpm/discussions/6204

Originally posted by kamsar March 10, 2023
The https://pnpm.io/package_json#pnpmauditconfigignorecves specifically targets CVEs to ignore in pnpm audit.

Some vulnerabilities, such as GHSA-36jr-mh4h-2g58, show up in pnpm audit but have no assigned CVE. I've tried using the GHSA but that does not seem to match.

Metadata

Metadata

Assignees

No one assigned

    Labels

    area: audittype: feature

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions