smartcontractkit · erikburt · Apr 2, 2026 · Apr 2, 2026
@@ -0,0 +1,5 @@
+---
+"dependency-review": patch
+---
+
+add new dependency vulnerability preset vulnerability-high-cve-2026-34040
@@ -0,0 +1,19 @@
+# This is a copy of `vulnerability-high.yml` with a specific CVE allowlisted.
+
+# https://github.com/advisories/GHSA-x744-4wpc-v9h2
+# CVE-2026-34040
+# We are temporarily allowing this CVE because it's from a transitive dep and specific to AuthZ plugin, which is something we don't use.
+# - The typical dependency path for us is `testcontainers/testcontainers-go -> github.com/docker/docker`
+# - There is currently no github.com/docker/docker version that is patched, and therefore no testcontainers-go version that we can update to.
+# - We will wait for these related tasks on testcontainers-go's side before we remove this config preset:
+#   - https://github.com/testcontainers/testcontainers-go/issues/3496
+#   - https://github.com/testcontainers/testcontainers-go/issues/3614
+#   - https://github.com/testcontainers/testcontainers-go/pull/3591
+
+# Fails when:
+# - vulnerabilities are found in the dependency tree with specified severity or grater
+vulnerability_check: true
+fail_on_severity: "high" # low, moderate, high, critical
+license_check: false
+allow_ghsas:
+  - GHSA-x744-4wpc-v9h2