NHSDigital · anthony-nhs · Feb 20, 2026 · Feb 19, 2026 · Feb 20, 2026
diff --git a/.github/workflows/quality-checks.yml b/.github/workflows/quality-checks.yml
@@ -182,7 +182,7 @@ jobs:
           fi
           touch trivy.yaml
       - name: Update trivy config to include dev dependencies
-        uses: mikefarah/yq@2be0094729a1006f61e8339ce9934bfb3cbb549f
+        uses: mikefarah/yq@5a7e72a743649b1b3a47d1a1d8214f3453173c51
         with:
           cmd: yq -i '.pkg.include-dev-deps = true' 'trivy.yaml'
       - name: convert python dependencies to requirements.txt

diff --git a/.trivyignore.yaml b/.trivyignore.yaml
@@ -10,6 +10,12 @@ vulnerabilities:
   - id: CVE-2026-25547
     statement: isaacs/brace-expansion vulnerability accepted as risk - dependency of semantic-release
     expired_at: 2026-03-01
-  - id: CVE-2026-0775 
+  - id: CVE-2026-0775
     statement: npm vulnerability accepted as risk - dependency of semantic-release
     expired_at: 2026-03-01
+  - id: CVE-2026-26996
+    statement: minimatch vulnerability accepted as risk
+    expired_at: 2026-06-01
+  - id: CVE-2026-26960
+    statement: tar vulnerability accepted as risk
+    expired_at: 2026-06-01