diff --git a/.iyarc b/.iyarc
index 6e388ef3ce..19ab0f6f42 100644
--- a/.iyarc
+++ b/.iyarc
@@ -75,3 +75,10 @@ GHSA-2w8x-224x-785m
 # - The xmp bypass produces live HTML markup in output, but since we discard all tags and use
 #   the result as plain text in Error messages, there is no DOM rendering path and no XSS risk
 GHSA-rpr9-rxv7-x643
+
+# Excluded because:
+# - CVE affects esbuild's Deno distribution only: binary downloads without SHA-256 integrity verification
+# - BitGoJS is a Node.js project; the Node.js esbuild distribution already includes binaryIntegrityCheck()
+# - esbuild is a dev-time build tool (via babylonlabs-io-btc-staking-ts), not runtime production code
+# - The attacker-controlled NPM_CONFIG_REGISTRY vector does not apply to our controlled CI environment
+GHSA-gv7w-rqvm-qjhr