From 65ab1ad300014fb1c736e0d2e999408bedf0fd52 Mon Sep 17 00:00:00 2001
From: Erik Burton <erik.burton@smartcontract.com>
Date: Thu, 2 Apr 2026 10:30:12 -0700
Subject: [PATCH] fix: dependency-review new vulnerability preset

---
 .changeset/slow-onions-smash.md               |  5 +++++
 .../vulnerability-high-cve-2026-34040.yml     | 19 +++++++++++++++++++
 2 files changed, 24 insertions(+)
 create mode 100644 .changeset/slow-onions-smash.md
 create mode 100644 actions/dependency-review/configs/vulnerability-high-cve-2026-34040.yml

diff --git a/.changeset/slow-onions-smash.md b/.changeset/slow-onions-smash.md
new file mode 100644
index 000000000..43ed04cd7
--- /dev/null
+++ b/.changeset/slow-onions-smash.md
@@ -0,0 +1,5 @@
+---
+"dependency-review": patch
+---
+
+add new dependency vulnerability preset vulnerability-high-cve-2026-34040
diff --git a/actions/dependency-review/configs/vulnerability-high-cve-2026-34040.yml b/actions/dependency-review/configs/vulnerability-high-cve-2026-34040.yml
new file mode 100644
index 000000000..c440e3ef3
--- /dev/null
+++ b/actions/dependency-review/configs/vulnerability-high-cve-2026-34040.yml
@@ -0,0 +1,19 @@
+# This is a copy of `vulnerability-high.yml` with a specific CVE allowlisted.
+
+# https://github.com/advisories/GHSA-x744-4wpc-v9h2
+# CVE-2026-34040
+# We are temporarily allowing this CVE because it's from a transitive dep and specific to AuthZ plugin, which is something we don't use.
+# - The typical dependency path for us is `testcontainers/testcontainers-go -> github.com/docker/docker`
+# - There is currently no github.com/docker/docker version that is patched, and therefore no testcontainers-go version that we can update to.
+# - We will wait for these related tasks on testcontainers-go's side before we remove this config preset:
+#   - https://github.com/testcontainers/testcontainers-go/issues/3496
+#   - https://github.com/testcontainers/testcontainers-go/issues/3614
+#   - https://github.com/testcontainers/testcontainers-go/pull/3591
+
+# Fails when:
+# - vulnerabilities are found in the dependency tree with specified severity or grater
+vulnerability_check: true
+fail_on_severity: "high" # low, moderate, high, critical
+license_check: false
+allow_ghsas:
+  - GHSA-x744-4wpc-v9h2