# pnpm 9.x and its bundled dependencies
# These are build-time tool internals, not runtime application code.
# pnpm is only used for dependency installation and process management.
# All require upgrading to pnpm 10.x (major breaking change).
# Tracked: https://github.com/pnpm/pnpm/releases/tag/v10.0.0

# pnpm core
CVE-2025-69262
CVE-2025-69263

# glob (bundled in pnpm 9.x, not our dependency)
CVE-2025-64756

# minimatch (bundled in pnpm 9.x)
CVE-2026-26996
CVE-2026-27903
CVE-2026-27904

# picomatch (bundled in pnpm 9.x)
CVE-2026-33671

# tar (bundled in pnpm 9.x)
CVE-2026-23745
CVE-2026-23950
CVE-2026-24842
CVE-2026-26960
CVE-2026-29786
CVE-2026-31802

# pnpm 9.x core (2026 rescan) -- same build-time-tool rationale as above; every
# one of these is fixed only in pnpm 10.x (10.0.0 / 10.28.1 / 10.28.2), a major
# breaking migration tracked separately. pnpm runs only at install/start time.
CVE-2024-47829
CVE-2026-23888
CVE-2026-23889
CVE-2026-23890
CVE-2026-24056
CVE-2026-24131

# golang.org/x/image bundled in the caire binary (content-aware seam-carving
# resize, one tool). esimov/caire v1.5.0 is the latest release and still pins
# golang.org/x/image v0.18.0; there is no upstream caire build with the fixed
# x/image >=0.38.0. Re-evaluate when caire publishes a new release.
CVE-2026-33809

# brace-expansion: build-toolchain transitive of minimatch/glob. The patched
# instance (5.0.6) is already present; the only flagged copy is the 2.x line
# pulled by glob, whose fix is a major-version bump (5.0.5) the glob ecosystem
# has not adopted. Not reachable from user input.
CVE-2026-33750
