chore: ignore CVE-2026-41305 (postcss build-time XSS) in Trivy

[brendan-kellam]

Fixes SOU-995

Suppresses CVE-2026-41305 (PostCSS XSS via unescaped </style> in CSS stringify output) via a root .trivyignore, auto-detected by Trivy in the vulnerability-triage workflow.

postcss is a build-time-only dependency (Tailwind/Next CSS tooling); we never stringify untrusted CSS ASTs at runtime, so the vulnerability is not exploitable in Sourcebot.

This supersedes #1285, which fixed the same CVE by forcing postcss past next@16.2.6's pin of 8.4.31 via a qualified resolutions override. Ignoring avoids overriding Next's pinned transitive dependency.

🤖 Generated with Claude Code

Summary by CodeRabbit

• Chores
  • Added security detection exception for a development-time dependency vulnerability.

[github-actions]

@brendan-kellam your pull request is missing a changelog!

[coderabbitai]

Caution

Review failed

Pull request was closed or merged during review

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 6ac03a6b-4cc2-4b9f-a47c-af4d2288aba0

📥 Commits

Reviewing files that changed from the base of the PR and between 07a5bb1 and 0464d1e.

📒 Files selected for processing (1)

• .trivyignore

---

Walkthrough

This PR adds a .trivyignore configuration entry to suppress Trivy detection of CVE-2026-41305, a PostCSS-related XSS vulnerability. The suppression includes documented comments explaining the vulnerability scenario and clarifying that the affected dependency is build-time-only.

Changes

Security Configuration - CVE Suppression

Layer / File(s)	Summary
Trivy CVE-2026-41305 Suppression .trivyignore	.trivyignore entry suppresses CVE-2026-41305 detection with comments documenting the PostCSS XSS context and clarifying the dependency is build-time-only.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and specifically summarizes the main change: adding a Trivy ignore entry for a PostCSS-related CVE with build-time-only context.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch cursor/cve/postcss-trivyignore

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}