From ac0fe8b0ebb1827f5834e65343e00ceddad73bf5 Mon Sep 17 00:00:00 2001
From: Jason Woltje <jason@diversecanvas.com>
Date: Sat, 28 Feb 2026 19:51:19 -0600
Subject: [PATCH] ci: suppress pre-existing multer CVEs in trivyignore

---
 .trivyignore | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/.trivyignore b/.trivyignore
index efda588..b0c29af 100644
--- a/.trivyignore
+++ b/.trivyignore
@@ -34,3 +34,9 @@ CVE-2026-26996  # HIGH: minimatch DoS via specially crafted glob patterns (needs
 # OpenBao 2.5.0 compiled with Go 1.25.6, fix needs Go >= 1.25.7.
 # Cannot build OpenBao from source (large project). Waiting for upstream release.
 CVE-2025-68121  # CRITICAL: crypto/tls session resumption
+
+# === multer CVEs (upstream via @nestjs/platform-express) ===
+# multer <2.1.0 — waiting on NestJS to update their dependency
+# These are DoS vulnerabilities in file upload handling
+GHSA-xf7r-hgr6-v32p  # HIGH: DoS via incomplete cleanup
+GHSA-v52c-386h-88mc  # HIGH: DoS via resource exhaustion