From 4f6c7cd00e2e99733df09f9975a77bce5605111c Mon Sep 17 00:00:00 2001
From: Doddanna17 <doddannab@bitgo.com>
Date: Thu, 7 May 2026 04:22:47 +0530
Subject: [PATCH] fix: exclude GHSA-rpmf-866q-6p89 from yarn audit to unblock
 publish

DoS via unbounded multiline FTP control response buffering in basic-ftp.
Same transitive chain as the already-excluded GHSA-rp42-5vxx-qpwr:
pac-proxy-agent > get-uri > basic-ftp, used only for PAC proxy resolution.
All 5 yarn audit findings are the same advisory across different dep paths.

Ticket: SI-512
---
 .iyarc | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/.iyarc b/.iyarc
index 1291fb74df..7ffe1bb15e 100644
--- a/.iyarc
+++ b/.iyarc
@@ -87,3 +87,15 @@ GHSA-xq3m-2v4x-88gg
 #   project are controlled internal endpoints, not user-supplied FTP URLs
 # - Pinned at 5.2.2 in root resolutions; upstream get-uri has not yet updated to require 5.3.0
 GHSA-rp42-5vxx-qpwr
+
+# Excluded because:
+# - DoS via unbounded multiline control response buffering in basic-ftp (severity: high, CVSS 7.5)
+# - A malicious FTP server can send an unterminated multiline response during the banner phase
+#   (before auth), causing the client to buffer unbounded data into FtpContext._partialResponse
+# - Same transitive chain as GHSA-rp42-5vxx-qpwr: pac-proxy-agent > get-uri > basic-ftp
+# - Used only for PAC-based proxy URL resolution, not for any direct FTP operations
+# - Exploitation requires connecting to a malicious FTP server; all proxy targets in this
+#   project are controlled internal endpoints, not user-supplied FTP URLs
+# - No compatible patched version available in the current get-uri dependency chain
+# - Ticket: SI-512
+GHSA-rpmf-866q-6p89