From 692f8e147966ab4f6bedaff70e4d5d785a3d7c10 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Josu=C3=A9=20Rodriguez?=
 <josue.rodriguez+github@flumehealth.com>
Date: Wed, 15 Apr 2026 16:29:40 -0400
Subject: [PATCH] fix: add .snyk safety net ignore for goldmark XSS
 (CVE-2026-5160)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

goldmark v1.4.13 is a ghost transitive dep via golang.org/x/tools —
not listed in go.mod and never compiled into any binary.
Adding ignore for consistency with existing go-jose and x/crypto ignores.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 .snyk | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/.snyk b/.snyk
index 16fc4d7..1e5d4ed 100644
--- a/.snyk
+++ b/.snyk
@@ -149,6 +149,16 @@ ignore:
           not listed in go.mod and not compiled into any binary.
         expires: 2026-10-09T00:00:00.000Z
         created: 2026-04-09T00:00:00.000Z
+  # --- goldmark XSS vulnerability (transitive ghost dep; not compiled) ---
+  SNYK-GOLANG-GITHUBCOMYUINGOLDMARKRENDERHTML-15838406:
+    - '*':
+        reason: >-
+          CVE-2026-5160 Cross-site Scripting (CWE-79).
+          github.com/yuin/goldmark is a transitive dependency of golang.org/x/tools v0.44.0;
+          not listed in go.mod and not compiled into any binary.
+          `go mod why` confirms: "main module does not need package github.com/yuin/goldmark".
+        expires: 2026-10-15T00:00:00.000Z
+        created: 2026-04-15T00:00:00.000Z
   # --- golang.org/x/crypto vulnerabilities (transitive ghost dep; not in go.mod) ---
   SNYK-GOLANG-GOLANGORGXCRYPTOSSH-8747056:
     - '*':