fix: dependency-review new vulnerability preset (#1501)

erikburt · web-flow · commit f633596e6372 · 2026-04-02T13:10:04.000-07:00
diff --git a/.changeset/slow-onions-smash.md b/.changeset/slow-onions-smash.md
@@ -0,0 +1,5 @@
+---
+"dependency-review": patch
+---
+
+add new dependency vulnerability preset vulnerability-high-cve-2026-34040
diff --git a/actions/dependency-review/configs/vulnerability-high-cve-2026-34040.yml b/actions/dependency-review/configs/vulnerability-high-cve-2026-34040.yml
@@ -0,0 +1,19 @@
+# This is a copy of `vulnerability-high.yml` with a specific CVE allowlisted.
+
+# https://github.com/advisories/GHSA-x744-4wpc-v9h2
+# CVE-2026-34040
+# We are temporarily allowing this CVE because it's from a transitive dep and specific to AuthZ plugin, which is something we don't use.
+# - The typical dependency path for us is `testcontainers/testcontainers-go -> github.com/docker/docker`
+# - There is currently no github.com/docker/docker version that is patched, and therefore no testcontainers-go version that we can update to.
+# - We will wait for these related tasks on testcontainers-go's side before we remove this config preset:
+#   - https://github.com/testcontainers/testcontainers-go/issues/3496
+#   - https://github.com/testcontainers/testcontainers-go/issues/3614
+#   - https://github.com/testcontainers/testcontainers-go/pull/3591
+
+# Fails when:
+# - vulnerabilities are found in the dependency tree with specified severity or grater
+vulnerability_check: true
+fail_on_severity: "high" # low, moderate, high, critical
+license_check: false
+allow_ghsas:
+  - GHSA-x744-4wpc-v9h2

-Original file line number
+Diff line change
@@ @@ -0,0 +1,5 @@ @@
 +---
 +"dependency-review": patch
 +---
++
 +add new dependency vulnerability preset vulnerability-high-cve-2026-34040