From 2aba69fec0e56b630b770748ead344afc072c9fd Mon Sep 17 00:00:00 2001
From: Manoj Kumar <manojkumar138@bitgo.com>
Date: Wed, 11 Mar 2026 23:10:23 +0530
Subject: [PATCH] chore(root): add .iyarc exclusion for tar GHSA-9ppj-qmqm-q256

Security-approved exception. CECHO-375. Same risk profile as existing tar exclusions:
CVE affects archive extraction (unpacking malicious archives); we only use
tar for packing. Unblocks bitgo-beta release.
---
 .iyarc | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/.iyarc b/.iyarc
index c9ba2bf4ca..a8362f7a33 100644
--- a/.iyarc
+++ b/.iyarc
@@ -56,3 +56,9 @@ GHSA-5c6j-r48x-rmvq
 # - Our usage is limited to archive PACKING operations only, not extraction
 # - Forcing tar v7.5.7+ breaks lerna's packDirectory API (same constraint as GHSA-8qq5-rm4j-mr97)
 GHSA-qffp-2rhf-9h96
+
+# Excluded because:
+# - Same risk profile as existing tar exclusions: CVE affects archive extraction (unpacking malicious archives)
+# - We only use tar for packing; low risk in terms of exploitability
+# - Security exception approved
+GHSA-9ppj-qmqm-q256