fix(ci): suppress Next.js bundled tar/minimatch CVEs in trivy #431

Merged

jason.woltje merged 1 commits from fix/trivy-nextjs-cves into main

2026-02-21 20:40:18 +00:00

Author	SHA1	Message	Date
Jason Woltje	76c97b238c	fix(ci): suppress Next.js bundled tar/minimatch CVEs in trivy scan All checks were successful ci/woodpecker/push/orchestrator Pipeline was successful Details ci/woodpecker/push/web Pipeline was successful Details ci/woodpecker/push/api Pipeline was successful Details Add CVE-2026-26960 (tar) and CVE-2026-26996 (minimatch) to .trivyignore. These are embedded in next/dist/compiled/ and cannot be fixed via pnpm overrides — requires upstream Next.js release with updated bundles. Also add .trivyignore to all pipeline path filters so future changes to the ignore file trigger CI validation. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-02-21 14:35:08 -06:00

Author

SHA1

Message

Date

Jason Woltje

76c97b238c

fix(ci): suppress Next.js bundled tar/minimatch CVEs in trivy scan

ci/woodpecker/push/orchestrator Pipeline was successful

Details

ci/woodpecker/push/web Pipeline was successful

Details

ci/woodpecker/push/api Pipeline was successful

Details

Add CVE-2026-26960 (tar) and CVE-2026-26996 (minimatch) to .trivyignore.
These are embedded in next/dist/compiled/ and cannot be fixed via pnpm
overrides — requires upstream Next.js release with updated bundles.

Also add .trivyignore to all pipeline path filters so future changes
to the ignore file trigger CI validation.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

2026-02-21 14:35:08 -06:00

fix(ci): suppress Next.js bundled tar/minimatch CVEs in trivy #431

1 Commits