From d8a4b09b4aecb8dc020a79348726789cebd2928c Mon Sep 17 00:00:00 2001
From: Kovid Goyal <kovid@kovidgoyal.net>
Date: Thu, 2 Apr 2026 21:53:51 +0530
Subject: [PATCH] Ignore CVEs in nodejs used only for building webengine

---
 setup/unix-ci.py | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/setup/unix-ci.py b/setup/unix-ci.py
index 32fa96d2de..7c3359ea2c 100644
--- a/setup/unix-ci.py
+++ b/setup/unix-ci.py
@@ -192,6 +192,13 @@ IGNORED_DEPENDENCY_CVES = [
     'CVE-2026-3644',
     'CVE-2026-4224',  # expat parser unused
     'CVE-2026-4519',  # webbrowser() unused
+    # nodejs used only at build time CVEs are irrelevant
+    'CVE-2026-21710',
+    'CVE-2026-21717',
+    'CVE-2026-21714',
+    'CVE-2026-21713',
+    'CVE-2026-21715',
+    'CVE-2026-21716',
     # libtiff
     'CVE-2025-8851',  # this is erroneously marked as fixed in the database but no release of libtiff has been made with the fix
     # hyphen