chore(ci): ignore GHSA-73rr-hh4g-fpgx and GHSA-g9mf-h72j-4rw9

[Artmann]

Overall Risk: LOW - Both advisories affect dev dependencies only. None of these vulnerable packages are
bundled in the distributed VSCode extension or affect end users.

---

Advisory Analysis

1. GHSA-73rr-hh4g-fpgx (diff/jsdiff) - DoS via infinite loop

Vulnerability: Parsing patches with special line break characters (\r, \u2028, \u2029) in filename headers
causes infinite loop and memory exhaustion.

Attack Surface in This Repo: None for end users

• Used only by test frameworks during development/CI
• Never bundled in the extension
• Would require attacker to inject malicious patch content into test output

Risk Assessment: NEGLIGIBLE

---

2. GHSA-g9mf-h72j-4rw9 (undici) - DoS via compression bomb

Vulnerability: Unbounded decompression chain allows malicious server to cause DoS via excessive CPU/memory
consumption.

Attack Surface in This Repo: None for end users

• Only used by GitHub Actions libraries for CI/CD automation
• Never bundled in the extension
• Would require malicious server to respond to GH Actions HTTP requests

Risk Assessment: NEGLIGIBLE

Both are dev dependencies not bundled in the extension.

Summary by CodeRabbit

• Chores
  • Updated security vulnerability configuration with two new entries and associated metadata.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

📝 Walkthrough

Walkthrough

Two new GHSA vulnerability entries (GHSA-73rr-hh4g-fpgx and GHSA-g9mf-h72j-4rw9) have been added to the .nsprc file. Each entry includes notes and expiry fields. No existing entries were modified or removed. The change is purely additive configuration data with no control flow implications.

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	Title accurately summarizes the main change: adding entries to .nsprc to ignore two specific security advisories.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 0%. Comparing base (e723369) to head (1841aba).
⚠️ Report is 1 commits behind head on main.
✅ All tests successful. No failed tests found.

Additional details and impacted files

@@     Coverage Diff     @@
##   main   #295   +/-   ##
===========================
===========================

🚀 New features to boost your workflow:

• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[saltenasl]

👍