From 6f15a3e87dbda2e8745b84ab5298e326e9408b41 Mon Sep 17 00:00:00 2001
From: Yashvanth B L <yashvanthbl137@bitgo.com>
Date: Tue, 3 Mar 2026 00:26:24 +0530
Subject: [PATCH] chore: add GHSA-5c6j-r48x-rmvq to .iyarc exclusions

Ticket: CGARD-518
---
 .iyarc | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/.iyarc b/.iyarc
index 29f6298cb4..73d9afe3ae 100644
--- a/.iyarc
+++ b/.iyarc
@@ -43,3 +43,9 @@ GHSA-7r86-cg39-jmmj
 # - Only affects dev-time tooling, not production code
 # - Mitigated by controlled inputs (our own build scripts, not user-provided patterns)
 GHSA-23c5-xmqv-rm74
+
+# Excluded because:
+# - Transitive devDependency through mocha, terser-webpack-plugin, copy-webpack-plugin
+# - serialize-javascript RCE via malicious RegExp.flags and Date.prototype.toISOString()
+# - Only affects dev-time tooling, not production code
+GHSA-5c6j-r48x-rmvq