From de705844609ec49b8eb7520fb8792cc778e7a879 Mon Sep 17 00:00:00 2001
From: Ryan Richard <richardry@vmware.com>
Date: Wed, 2 Apr 2025 13:28:59 -0700
Subject: [PATCH] ignore CVE in dep which has already been upgraded in main to
 patched dep

---
 pipelines/pull-requests/pipeline.yml | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/pipelines/pull-requests/pipeline.yml b/pipelines/pull-requests/pipeline.yml
index 7a22877c8..77fe03351 100644
--- a/pipelines/pull-requests/pipeline.yml
+++ b/pipelines/pull-requests/pipeline.yml
@@ -621,7 +621,9 @@ jobs:
 
                 # CVE-2025-27144 is in github.com/go-jose/go-jose. We are already using the versions which contain
                 # the fix v3.0.4 and v4.0.5, but for some reason nancy is complaining about it, so ignore it.
-                CVE-2025-27144 until=2025-04-01
+                # See https://github.com/go-jose/go-jose/security/advisories/GHSA-c6gw-w398-hv78 which says that
+                # 3.0.4 and 4.0.5 contain the fix.
+                CVE-2025-27144
 
                 EOF