chore(ci): ignore GHSA-848j-6mx2-7j84 with better-npm-audit (#292)

Artmann · web-flow · commit 0eea12a0c435 · 2026-01-13T10:42:56.000+01:00
Add better-npm-audit for fine-grained CVE exceptions in npm audit. Ignore GHSA-848j-6mx2-7j84 (elliptic, CVSS 2.9) - dev dependency only with no attack vector and no fix available. The vulnerability allows deriving secret keys if an attacker obtains both a faulty AND correct ECDSA signature for identical inputs (CVSS: 2.9 Low). **No attack vector exists** for this extension because: - Extension doesn't perform ECDSA signing operations - `elliptic` is a transitive dependency of browser polyfills (`node-stdlib-browser → crypto-browserify`) - No cryptographic signing functionality is exposed - No patched version is available
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -233,4 +233,5 @@ jobs:
         run: npm ci --prefer-offline --no-audit
 
       - name: Run audit for all dependencies
-        run: npm audit
+        # Uses better-npm-audit with .nsprc exceptions file
+        run: npx better-npm-audit audit
diff --git a/.nsprc b/.nsprc
@@ -0,0 +1,6 @@
+{
+    "GHSA-848j-6mx2-7j84": {
+        "notes": "CVE-2025-14505: elliptic ECDSA signature corruption can lead to private key recovery if attacker obtains both faulty and correct signatures for identical inputs. Accepted risk: dev-only transitive dependency (node-stdlib-browser -> crypto-browserify -> browserify-sign), not used for signing in this project, no fix available.",
+        "expiry": "2026-04-08"
+    }
+}
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -2751,6 +2751,7 @@
         "acorn": "^8.9.0",
         "autoprefixer": "^10.4.21",
         "bare-events": "^2.8.1",
+        "better-npm-audit": "^3.11.0",
         "buffer": "^6.0.3",
         "bufferutil": "^4.0.6",
         "chai": "^4.3.10",
