From 76e9803c939b03ef196e008da4bb4d647a64a9db Mon Sep 17 00:00:00 2001
From: "privilegedescalation-engineer[bot]"
 <269729446+privilegedescalation-engineer[bot]@users.noreply.github.com>
Date: Tue, 12 May 2026 22:22:44 +0000
Subject: [PATCH] chore(ci): add audit-ci allowlist for inherited
 @kinvolk/headlamp-plugin CVEs (PRI-855)

QA reviewed and approved. Adds audit-ci.jsonc with 3 CVE allowlist entries for dev-only dependencies.
---
 audit-ci.jsonc | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)
 create mode 100644 audit-ci.jsonc

diff --git a/audit-ci.jsonc b/audit-ci.jsonc
new file mode 100644
index 0000000..c5cd425
--- /dev/null
+++ b/audit-ci.jsonc
@@ -0,0 +1,20 @@
+{
+  // Allowlist for inherited dev-dependency CVEs from @kinvolk/headlamp-plugin
+  // CTO decision (PRI-854): these high-severity vulns are dev/build-time only,
+  // trace to @kinvolk/headlamp-plugin transitive deps (Picomatch, Vite, lodash),
+  // and do NOT ship in production plugin artifacts.
+  "allowlist": [
+    {
+      "id": "GHSA-hhpm-516h-p3p6",
+      "reason": "Picomatch ReDoS: devDependency only, does not ship in production plugin bundle"
+    },
+    {
+      "id": "GHSA-36xf-7xpp-53w5",
+      "reason": "Vite arbitrary file read: devDependency only, does not ship in production plugin bundle"
+    },
+    {
+      "id": "GHSA-jf8v-p3pp-93qh",
+      "reason": "lodash code injection via _.template: devDependency only, does not ship in production plugin bundle"
+    }
+  ]
+}