Jason Woltje 76c97b238c fix(ci): suppress Next.js bundled tar/minimatch CVEs in trivy scan ...

Add CVE-2026-26960 (tar) and CVE-2026-26996 (minimatch) to .trivyignore.
These are embedded in next/dist/compiled/ and cannot be fixed via pnpm
overrides — requires upstream Next.js release with updated bundles.

Also add .trivyignore to all pipeline path filters so future changes
to the ignore file trigger CI validation.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

2026-02-21 14:35:08 -06:00

6.5 KiB

Raw Blame History

View Raw