From 0f644f3a51b4dc491b389949736e9e671ec369db Mon Sep 17 00:00:00 2001
From: Ankush Pathak <ankush.pathak@chainguard.dev>
Date: Tue, 4 Nov 2025 09:28:40 +0000
Subject: [PATCH] doc(npm): Add false-positive-determination for
 GHSA-29xp-372q-xqph

Signed-off-by: Ankush Pathak <ankush.pathak@chainguard.dev>
---
 npm.advisories.yaml | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/npm.advisories.yaml b/npm.advisories.yaml
index cc2e24c65b..9145f50b79 100644
--- a/npm.advisories.yaml
+++ b/npm.advisories.yaml
@@ -48,6 +48,11 @@ advisories:
         type: pending-upstream-fix
         data:
           note: Since this package relies on upstream artifacts, the vulnerability must be remediated upstream by updating tar to version 7.5.2 or later.
+      - timestamp: 2025-11-04T09:27:38Z
+        type: false-positive-determination
+        data:
+          type: vulnerable-code-not-in-execution-path
+          note: 'npm does not utilize the affected code path. For more details, refer to the upstream discussions: https://github.com/nodejs/node/pull/60430#issuecomment-3455536702 and https://github.com/nodejs/node/pull/60012#issuecomment-3452094442'
 
   - id: CGA-ff5p-6mq6-jqwc
     aliases: