From 0522b1ce72b288fc573359314908cc604a6884bf Mon Sep 17 00:00:00 2001
From: Christophe Deveaux <contact@christophedeveaux.com>
Date: Thu, 24 Oct 2024 14:27:13 +0200
Subject: [PATCH] ci: update audit-ci.jsonc (#218)

---
 audit-ci.jsonc | 15 +++++++++++++--
 1 file changed, 13 insertions(+), 2 deletions(-)

diff --git a/audit-ci.jsonc b/audit-ci.jsonc
index 68a5b08a..fdf03b17 100644
--- a/audit-ci.jsonc
+++ b/audit-ci.jsonc
@@ -76,10 +76,21 @@
     // vite is not used in production
     // from: vitest > vite
     "GHSA-9cwx-2883-4wfx",
+    // https://github.com/advisories/GHSA-584q-6j8j-r5pm
+    // secp256k1-node allows private key extraction over ECDH
+    // We're using eliptic 5.0.7 which doesn't contain the issue
+    // https://github.com/cryptocoinjs/secp256k1-node/commit/dc37f41f2abfe87853b54bcd7d1b556db41b0c64#diff-7ae45ad102eab3b6d7e7896acd08c427a9b25b346470d7bc6507b6481575d519R35
+    // from: @arbitrum/token-bridge-contracts > @openzeppelin/upgrades-core > ethereumjs-util > ethereum-cryptography
+    "GHSA-584q-6j8j-r5pm",
+    // https://github.com/advisories/GHSA-fc9h-whq2-v747
+    // Valid ECDSA signatures erroneously rejected in Elliptic
+    // from: @arbitrum/token-bridge-contracts > @openzeppelin/upgrades-core > ethereumjs-util > ethereum-cryptography > secp256k1
+    // from: ethers > @ethersproject/signing-key
+    "GHSA-fc9h-whq2-v747",
     // https://github.com/advisories/GHSA-gcx4-mw62-g8wm
     // DOM Clobbering Gadget found in rollup bundled scripts that leads to XSS
-    // vite is not used in production
-    // from: vitest > vite
+    // rollup is not used in production
+    // from vite > rollup
     "GHSA-gcx4-mw62-g8wm"
   ]
 }