From ff6d4ab39a129f21b53a662a06d2bd8d35662099 Mon Sep 17 00:00:00 2001
From: erio <asakifeng@gmail.com>
Date: Fri, 3 Apr 2026 01:53:17 +0800
Subject: [PATCH] chore: add lodash/lodash-es audit exception for
 GHSA-r5fr-rjxr-66jc

---
 .github/audit-exceptions.yml | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/.github/audit-exceptions.yml b/.github/audit-exceptions.yml
index a1d8411c..82cdefe4 100644
--- a/.github/audit-exceptions.yml
+++ b/.github/audit-exceptions.yml
@@ -14,3 +14,17 @@ exceptions:
     mitigation: "Load only on export; restrict export permissions and data scope"
     expires_on: "2026-04-05"
     owner: "security@your-domain"
+  - package: lodash
+    advisory: "GHSA-r5fr-rjxr-66jc"
+    severity: high
+    reason: "lodash _.template not used with untrusted input; only internal admin UI templates"
+    mitigation: "No user-controlled template strings; plan to migrate to lodash-es tree-shaken imports"
+    expires_on: "2026-07-02"
+    owner: "security@your-domain"
+  - package: lodash-es
+    advisory: "GHSA-r5fr-rjxr-66jc"
+    severity: high
+    reason: "lodash-es _.template not used with untrusted input; only internal admin UI templates"
+    mitigation: "No user-controlled template strings; plan to migrate to native JS alternatives"
+    expires_on: "2026-07-02"
+    owner: "security@your-domain"