# pip-audit CVE allowlist for mca-prototype/requirements.txt.
# Format: CVE-ID per non-comment line. Every CVE MUST have:
#   - the package it affects
#   - the reason it is tolerated (no patch / not exploitable / mitigated)
#   - an expiry / review date (YYYY-MM-DD)
#   - a tracking ticket
# Empty lines and lines starting with # are ignored.

# CVE-2026-0994 - protobuf - upstream patch not yet released. Inherited
# from prior --ignore-vuln in .gitlab-ci.yml; risk accepted because the
# affected code path (message parsing) is only exercised on trusted OTLP
# payloads emitted by this SDK itself, never on attacker-controlled bytes.
#   review: 2026-08-31, ticket: 6-13-followup-protobuf-cve-track.
CVE-2026-0994

# CVE-2026-4539 - package: TBD. Inherited from prior story 6-13 review;
# pre-existing allowlist entry, justification not yet captured. Must be
# either justified-and-kept or removed-and-fixed by the review date.
#   review: 2026-06-30, ticket: 6-13-followup-cve-2026-4539-justify.
CVE-2026-4539
