fix(ci): suppress Next.js bundled tar/minimatch CVEs in trivy #431

Merged

jason.woltje merged 1 commits from fix/trivy-nextjs-cves into main 2026-02-21 20:40:18 +00:00

Conversation 0 Commits 1 Files Changed 4 +11 -5

jason.woltje commented 2026-02-21 20:32:05 +00:00

Owner

Copy Link

Summary

• Add CVE-2026-26960 (tar) and CVE-2026-26996 (minimatch) to .trivyignore
• These are pre-compiled inside next/dist/compiled/ and cannot be resolved via pnpm overrides
• Requires upstream Next.js release with updated bundles

Context

Pipeline #518 (main after PR #429 merge) passed api and orchestrator but web failed at the trivy scan step. The Docker build succeeded but trivy found 2 new HIGH CVEs in Next.js bundled dependencies.

Closes #430

Test plan

• CI pipeline passes (trivy scan should now ignore these CVEs)
• Merge to main and verify all pipelines green

## Summary - Add CVE-2026-26960 (tar) and CVE-2026-26996 (minimatch) to .trivyignore - These are pre-compiled inside next/dist/compiled/ and cannot be resolved via pnpm overrides - Requires upstream Next.js release with updated bundles ## Context Pipeline #518 (main after PR #429 merge) passed api and orchestrator but web failed at the trivy scan step. The Docker build succeeded but trivy found 2 new HIGH CVEs in Next.js bundled dependencies. Closes #430 ## Test plan - [ ] CI pipeline passes (trivy scan should now ignore these CVEs) - [ ] Merge to main and verify all pipelines green

jason.woltje added 1 commit 2026-02-21 20:32:05 +00:00

fix(ci): suppress Next.js bundled tar/minimatch CVEs in trivy scan ... 8fbb8a387e

Add CVE-2026-26960 (tar) and CVE-2026-26996 (minimatch) to .trivyignore.
These are embedded in next/dist/compiled/ and cannot be fixed via pnpm
overrides — requires upstream Next.js release with updated bundles.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

jason.woltje force-pushed fix/trivy-nextjs-cves from 8fbb8a387e to 76c97b238c 2026-02-21 20:35:14 +00:00 Compare

jason.woltje merged commit d66451cf48 into main 2026-02-21 20:40:18 +00:00

jason.woltje deleted branch fix/trivy-nextjs-cves 2026-02-21 20:40:18 +00:00

jason.woltje referenced this issue from a commit 2026-02-21 20:40:19 +00:00

fix(ci): suppress Next.js bundled tar/minimatch CVEs in trivy (#431)

jason.woltje referenced this pull request 2026-02-21 20:43:23 +00:00

Merge develop into main — branch consolidation #432

Sign in to join this conversation.

Reviewers

No Reviewers

Labels

Clear labels

ai

AI/LLM integration

api

Backend/API work

api

auth

Authentication

database

database

Database/schema work

devops

Docker/deployment

docs

Documentation

frontend

graph

knowledge-module

migration

Data migration

orchestrator

Orchestrator service (apps/orchestrator/)

p0

Critical priority

p1

High priority

p2

Medium priority

p3

Low priority

performance

Performance work

phase-1

phase-2

phase-3

phase-4

phase-5

plugin

MoltBot plugin work

search

security

Security-related

setup

Initial setup

testing

Testing/QA

web

Frontend work

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

jason.woltje

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: mosaic/stack#431