Background
Some audit issues are generated from Github Security Advisories (GHSAs). We should be able to ignore these in the same way that pnpm supports ignoring of CVEs. So either
- add a new feature ignoreVulnerabilities which can replace the existing ignoreCVEs and cover both CVEs, GHSAs and future sources
- support ignoring of GHSAs in the the ignoreCves existing configuration
Background
Some audit issues are generated from Github Security Advisories (GHSAs). We should be able to ignore these in the same way that pnpm supports ignoring of CVEs. So either
Discussed in https://github.com/orgs/pnpm/discussions/6204
Originally posted by kamsar March 10, 2023
The https://pnpm.io/package_json#pnpmauditconfigignorecves specifically targets CVEs to ignore in
pnpm audit.Some vulnerabilities, such as GHSA-36jr-mh4h-2g58, show up in
pnpm auditbut have no assigned CVE. I've tried using the GHSA but that does not seem to match.