Merge pull request #8249 from BitGo/WP-8127-fix-high-severity-tar-vulnerability-ghsa-qffp-2-rhf-9-h-96-blocking-sdk-release-audit

fix(root): exclude tar vulnerability

Author: ravibitgo

.iyarc

@@ -49,3 +49,10 @@ GHSA-23c5-xmqv-rm74
 # - serialize-javascript RCE via malicious RegExp.flags and Date.prototype.toISOString()
 # - Only affects dev-time tooling, not production code
 GHSA-5c6j-r48x-rmvq
+
+# Excluded because:
+# - Transitive dependency through lerna and yeoman-generator requiring tar < 7.5.7
+# - This CVE affects tar's extraction process (hardlink path traversal in crafted archives)
+# - Our usage is limited to archive PACKING operations only, not extraction
+# - Forcing tar v7.5.7+ breaks lerna's packDirectory API (same constraint as GHSA-8qq5-rm4j-mr97)
+GHSA-qffp-2rhf-9h96