From d2842db18dc617673289f1d153899acfd20065bc Mon Sep 17 00:00:00 2001
From: Claire <claire.github-309c@sitedethib.com>
Date: Fri, 27 Sep 2024 14:31:00 +0200
Subject: [PATCH] Ignore CVE-2024-8796, which does not impact us

---
 .bundler-audit.yml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/.bundler-audit.yml b/.bundler-audit.yml
index 0671df390f..c867b1abf0 100644
--- a/.bundler-audit.yml
+++ b/.bundler-audit.yml
@@ -4,3 +4,7 @@ ignore:
   # We have rate-limits on authentication endpoints in place (including second
   # factor verification) since Mastodon v3.2.0
   - CVE-2024-0227
+  # devise-two-factor advisory about generated secrets being weaker than expected
+  # We call `generate_otp_secret` ourselves with a requested length of 32 characters,
+  # which exceeds the recommended remediation of 26 characters, so we're safe
+  - CVE-2024-8796