From 0464d1e0cab0afae296debb3db3c942769c19f42 Mon Sep 17 00:00:00 2001
From: Brendan Kellam <brendan@sourcebot.dev>
Date: Mon, 8 Jun 2026 16:49:49 -0700
Subject: [PATCH] chore: ignore CVE-2026-41305 (postcss build-time XSS) in
 Trivy

postcss is a build-time-only dependency; we do not stringify untrusted
CSS ASTs at runtime, so the </style> stringify XSS is not exploitable.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
---
 .trivyignore | 10 ++++++++++
 1 file changed, 10 insertions(+)
 create mode 100644 .trivyignore

diff --git a/.trivyignore b/.trivyignore
new file mode 100644
index 000000000..4bb4c0de6
--- /dev/null
+++ b/.trivyignore
@@ -0,0 +1,10 @@
+# Trivy vulnerability ignore file
+# Docs: https://trivy.dev/latest/docs/configuration/filtering/#by-finding-ids
+# Auto-detected by Trivy in the repo root (see trivy.yaml / .github/workflows/vulnerability-triage.yml).
+# Each entry should note why it is suppressed.
+
+# CVE-2026-41305 — PostCSS XSS via unescaped </style> in CSS stringify output.
+# postcss is a build-time-only dependency here (Tailwind/Next CSS tooling); we do
+# not stringify untrusted CSS ASTs at runtime, so this is not exploitable.
+# @see https://github.com/vercel/next.js/issues/93234#issuecomment-4333397286
+CVE-2026-41305