bsv-blockchain · mrz1836 · Mar 26, 2026 · Mar 26, 2026 · Mar 26, 2026 · Mar 26, 2026
@@ -43,34 +43,7 @@ GO_COVERAGE_EXCLUDE_PATHS=.github/,.mage-cache/,.vscode/,bin/,example/,examples/
 # ================================================================================================
 
 # Nancy CVE Exclusions
-NANCY_EXCLUDES=CVE-2024-38513,CVE-2023-45142,CVE-2025-64702,CVE-2021-43668,CVE-2023-26248,CVE-2026-24051,CVE-2026-26014,CVE-2026-26958,CVE-2025-15558,CVE-2026-4427
+NANCY_EXCLUDES=CVE-2024-38513,CVE-2023-45142,CVE-2025-64702,CVE-2021-43668,CVE-2023-26248,CVE-2026-24051,CVE-2026-26014,CVE-2026-26958,CVE-2025-15558,CVE-2026-4427,CVE-2026-33809
 
 # Govulncheck/Magex CVE Exclusions
-MAGE_X_CVE_EXCLUDES=CVE-2024-38513,CVE-2023-45142,CVE-2025-64702,CVE-2021-43668,CVE-2023-26248,CVE-2026-24051,CVE-2026-26014,CVE-2026-26958,CVE-2025-15558,CVE-2026-4427
-
-# CVE-2026-26014 for pion/dtls (EXCLUDED: Invalid/non-existent CVE)
-#
-# Vulnerability: CVE-2026-26014
-#    False positive from Nancy scan - this CVE does not exist in public databases
-#    (NVD, OSS Index, or pion/dtls security advisories as of 2026-02-12)
-#  Affected packages: github.com/pion/dtls/v2@v2.2.12, github.com/pion/dtls/v3@v3.0.10
-#  Current versions: v2.2.12 (latest v2), v3.1.2 (latest v3, includes security fixes)
-#  Rationale: No actual vulnerability exists. Nancy likely reporting stale/incorrect data.
-#  Resolution: Excluded as false positive. Already using latest pion/dtls versions.
-
-# CVE-2026-26958 for filippo.io/edwards25519@v1.1.0 (CWE-665 Improper Initialization)
-#   Transitive dependency via github.com/bsv-blockchain/teranode@v0.13.2.
-#   Advisory notes that uses "only through github.com/go-sql-driver/mysql are not affected",
-#   which is our path (teranode uses it for MySQL auth). Cannot upgrade via go mod tidy since
-#   no package in this module directly imports edwards25519; pin would be removed. Will resolve
-#   when teranode upgrades to filippo.io/edwards25519 v1.2.0.
-
-# CVE-2026-24051 for go.opentelemetry.io/otel/sdk@v1.39.0 (macOS PATH hijacking - low risk)
-# CVE-2025-64702 for quic-go@v0.55.0
-# GO-2024-3218: Content Censorship in IPFS via Kademlia DHT abuse in github.com/libp2p/go-libp2p-kad-dht
-#   More info: https://pkg.go.dev/vuln/GO-2024-3218
-#   Module: github.com/libp2p/go-libp2p-kad-dht@v0.35.1
-
-# CVE-2025-15558 for docker/compose/v2 (Windows-only Docker CLI plugin path vulnerability)
-#   Affects only Windows hosts; not applicable to Linux CI/production environments.
-#   Transitive dependency, cannot be upgraded independently.
+MAGE_X_CVE_EXCLUDES=CVE-2024-38513,CVE-2023-45142,CVE-2025-64702,CVE-2021-43668,CVE-2023-26248,CVE-2026-24051,CVE-2026-26014,CVE-2026-26958,CVE-2025-15558,CVE-2026-4427,CVE-2026-33809
@@ -2,7 +2,7 @@
 # Environment variables can override any setting using ARCADE_ prefix
 # Example: ARCADE_SERVER_ADDRESS=:9090 overrides server.address
 network: main
-log_level: info  # debug, info, warn, error
+log_level: info # debug, info, warn, error
 storage_path: ~/.arcade
 server:
   address: ":3011"