From 87492ddcfe57a8a53191371ae30ff5364ef1319d Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Thu, 19 Feb 2026 18:08:21 +0000
Subject: [PATCH 1/2] Upgrade: [dependabot] - bump mikefarah/yq from 4.52.2 to
 4.52.4

Bumps [mikefarah/yq](https://github.com/mikefarah/yq) from 4.52.2 to 4.52.4.
- [Release notes](https://github.com/mikefarah/yq/releases)
- [Changelog](https://github.com/mikefarah/yq/blob/master/release_notes.txt)
- [Commits](https://github.com/mikefarah/yq/compare/2be0094729a1006f61e8339ce9934bfb3cbb549f...5a7e72a743649b1b3a47d1a1d8214f3453173c51)

---
updated-dependencies:
- dependency-name: mikefarah/yq
  dependency-version: 4.52.4
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 .github/workflows/quality-checks.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/quality-checks.yml b/.github/workflows/quality-checks.yml
index 392187c..05d4154 100644
--- a/.github/workflows/quality-checks.yml
+++ b/.github/workflows/quality-checks.yml
@@ -182,7 +182,7 @@ jobs:
           fi
           touch trivy.yaml
       - name: Update trivy config to include dev dependencies
-        uses: mikefarah/yq@2be0094729a1006f61e8339ce9934bfb3cbb549f
+        uses: mikefarah/yq@5a7e72a743649b1b3a47d1a1d8214f3453173c51
         with:
           cmd: yq -i '.pkg.include-dev-deps = true' 'trivy.yaml'
       - name: convert python dependencies to requirements.txt

From 4b6a7fe6fd3507ff33f94b843a21393071d94df4 Mon Sep 17 00:00:00 2001
From: Anthony Brown <anthony.brown8@nhs.net>
Date: Fri, 20 Feb 2026 07:41:45 +0000
Subject: [PATCH 2/2] update trivyignore

---
 .trivyignore.yaml | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/.trivyignore.yaml b/.trivyignore.yaml
index b578dd9..6fa84a3 100644
--- a/.trivyignore.yaml
+++ b/.trivyignore.yaml
@@ -10,6 +10,12 @@ vulnerabilities:
   - id: CVE-2026-25547
     statement: isaacs/brace-expansion vulnerability accepted as risk - dependency of semantic-release
     expired_at: 2026-03-01
-  - id: CVE-2026-0775 
+  - id: CVE-2026-0775
     statement: npm vulnerability accepted as risk - dependency of semantic-release
     expired_at: 2026-03-01
+  - id: CVE-2026-26996
+    statement: minimatch vulnerability accepted as risk
+    expired_at: 2026-06-01
+  - id: CVE-2026-26960
+    statement: tar vulnerability accepted as risk
+    expired_at: 2026-06-01