From 0c8d59e560fd888d16aa46472053adcc26a7caa1 Mon Sep 17 00:00:00 2001
From: Yashvanth B L <yashvanthbl137@bitgo.com>
Date: Sat, 21 Feb 2026 10:06:22 +0530
Subject: [PATCH] chore: add minimatch CVE-2026-26996 to audit exclusions

Ticket: CGARD-397
---
 .iyarc | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/.iyarc b/.iyarc
index 4df71dbaba..4178a97063 100644
--- a/.iyarc
+++ b/.iyarc
@@ -17,3 +17,10 @@ GHSA-r6q2-hw4h-h46w
 # - Our usage is limited to archive PACKING operations only, not extraction
 GHSA-34x7-hfp2-rc4v
 
+# Excluded because:
+# - Transitive dependency through lerna, depcheck, glob, mocha, yeoman-generator
+# - minimatch 10.x introduces breaking API changes incompatible with lerna v9.0.0
+# - This CVE (ReDoS in minimatch <10.2.1) affects glob pattern matching with repeated wildcards
+# - Our usage is dev-time tooling only (build, test, file search)
+# - Mitigated by controlled inputs (our own build scripts, not user-provided patterns)
+GHSA-3ppc-4f35-3m26