From b34aee852526cb9fcb002dfe10e952553fe7e185 Mon Sep 17 00:00:00 2001
From: Kashif Jamil <kashifjamil930@bitgo.com>
Date: Thu, 29 Jan 2026 14:14:31 +0530
Subject: [PATCH] chore: add new security advisory GHSA-34x7-hfp2-rc4v to
 configuration

Ticket: WIN-8746
---
 .iyarc | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/.iyarc b/.iyarc
index fc6747b310..694bbc2e29 100644
--- a/.iyarc
+++ b/.iyarc
@@ -11,3 +11,9 @@ GHSA-8qq5-rm4j-mr97
 #   archive PACKING, not extraction,
 GHSA-r6q2-hw4h-h46w
 
+# Excluded because:
+# - CVE-2026-24842: node-tar hardlink path traversal vulnerability
+# - Transitive dependency through lerna and yeoman-generator, which pin tar to < 7.5.7
+# - This CVE affects archive EXTRACTION (hardlink escape during unpacking)
+# - Lerna only uses tar for PACKING, not extraction
+GHSA-34x7-hfp2-rc4v