diff --git a/package.json b/package.json
index f84dfd4..c1ebd1e 100644
--- a/package.json
+++ b/package.json
@@ -8,10 +8,15 @@
 		},
 		"auditConfig": {
 			"ignoreGhsas": [
-				"GHSA-vmh5-mc38-953g"
+				"GHSA-vmh5-mc38-953g",
+				"GHSA-vxpw-j846-p89q",
+				"GHSA-hm92-r4w5-c3mj"
 			],
 			"_ignoreGhsasNotes": {
-				"GHSA-vmh5-mc38-953g": "undici SOCKS5 ProxyAgent TLS bypass. Only reachable via undici/jsdom (test-time). Patched in undici>=7.28.0 but jsdom@29.1.1 reaches into undici's private module layout, so forcing 7.28+ via override breaks tests. We never use a SOCKS5 proxy in tests, so the path is unreachable. Drop this entry once jsdom updates its undici pin."
+				"_shared": "All three advisories sit in undici, are reached only via jsdom in test runs, and are fixed in undici>=7.28.0. We can't move there because jsdom@29.1.1 reaches into undici 7's private module layout and crashes on the 7.28+ restructure. None of the vulnerable code paths run in our tests (no SOCKS5 proxy, no WebSocket client). Drop these entries when jsdom updates its undici pin.",
+				"GHSA-vmh5-mc38-953g": "SOCKS5 ProxyAgent TLS bypass — unreachable, no SOCKS5 proxy in tests.",
+				"GHSA-vxpw-j846-p89q": "WebSocket client DoS via fragment-count bypass — unreachable, no WS client in tests.",
+				"GHSA-hm92-r4w5-c3mj": "SOCKS5 proxy pool cross-origin reuse — unreachable, no SOCKS5 proxy in tests."
 			}
 		}
 	},