fix: exclude GHSA-rpmf-866q-6p89 (basic-ftp DoS) from yarn audit to unblock publish

[Doddanna17]

ticket: SI-512

Summary

• Adds GHSA-rpmf-866q-6p89 to .iyarc to exclude it from the yarn audit check
• This unblocks the chore(root): publish modules CI job which was failing with 5 HIGH severity findings — all the same advisory (GHSA-rpmf-866q-6p89) reported across 5 different dependency paths through basic-ftp

Why the exclusion is safe

The vulnerability is a client-side DoS in basic-ftp via unbounded multiline FTP control response buffering. The affected package reaches us through:

@bitgo/sdk-api > proxy-agent > pac-proxy-agent > get-uri > basic-ftp

• basic-ftp is used only for PAC-based proxy URL resolution, not for direct FTP operations
• Exploitation requires connecting to a malicious FTP server — all proxy targets are controlled internal endpoints
• A sibling advisory on the same package (GHSA-rp42-5vxx-qpwr, DoS via Client.list()) is already excluded under the same rationale
• No compatible patched version is available in the current get-uri dependency chain

Impact

Unblocks the publish of @bitgo/sdk-coin-hbar containing the explainTransaction fix for HBAR staking (PR #8700, merged), which is needed to unblock end-to-end HBAR stake signing on staging.

Related

• SI-511: BitGoJS explainTransaction fix for HBAR (PR fet(hbar): add AccountUpdate support to explainTransaction in BitGoJS #8700)
• SI-508: bitgo-microservices stakedNodeId fix
• SI-506: staking-service HBAR implementation
• Failing CI run: https://github.com/BitGo/BitGoJS/actions/runs/25464115442/job/74714441980

[linear-code]

SI-512 fix(bitgojs): exclude GHSA-rpmf-866q-6p89 (basic-ftp DoS) from yarn audit to unblock publish