# pip-audit CVE allowlist for mca-prototype/requirements.txt.
# Format: CVE-ID per non-comment line. Every CVE MUST have:
#   - the package it affects
#   - the reason it is tolerated (no patch / not exploitable / mitigated)
#   - an expiry / review date (YYYY-MM-DD)
#   - a tracking ticket
# Empty lines and lines starting with # are ignored.

# CVE-2026-0994 - protobuf - upstream patch not yet released. Inherited
# from prior --ignore-vuln in .gitlab-ci.yml; risk accepted because the
# affected code path (message parsing) is only exercised on trusted OTLP
# payloads emitted by this SDK itself, never on attacker-controlled bytes.
#   review: 2026-08-31, ticket: 6-13-followup-protobuf-cve-track.
CVE-2026-0994

