From 3be25b787a3449a1aaa0d4b92598dec438ffff2c Mon Sep 17 00:00:00 2001
From: Kashif Jamil <kashifjamil930@bitgo.com>
Date: Mon, 15 Jun 2026 15:17:13 +0530
Subject: [PATCH] feat: exclude CVE related to esbuild's Deno distribution for
 Node.js project

Ticket: CECHO-1295
---
 .iyarc | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/.iyarc b/.iyarc
index 6e388ef3ce..19ab0f6f42 100644
--- a/.iyarc
+++ b/.iyarc
@@ -75,3 +75,10 @@ GHSA-2w8x-224x-785m
 # - The xmp bypass produces live HTML markup in output, but since we discard all tags and use
 #   the result as plain text in Error messages, there is no DOM rendering path and no XSS risk
 GHSA-rpr9-rxv7-x643
+
+# Excluded because:
+# - CVE affects esbuild's Deno distribution only: binary downloads without SHA-256 integrity verification
+# - BitGoJS is a Node.js project; the Node.js esbuild distribution already includes binaryIntegrityCheck()
+# - esbuild is a dev-time build tool (via babylonlabs-io-btc-staking-ts), not runtime production code
+# - The attacker-controlled NPM_CONFIG_REGISTRY vector does not apply to our controlled CI environment
+GHSA-gv7w-rqvm-qjhr