# Trivy CVE allowlist.
# Format: one CVE ID per line, comments allowed. Used by both fs and image scans.
#
# Each entry below MUST cite why we can't simply upgrade. Re-evaluate quarterly
# (or whenever the fixed version actually publishes to npm).

# lodash CVE-2026-4800: Trivy lists 4.18.0 as the fixed version, but that
# release does not exist on npm (latest stable is still 4.17.21). lodash is
# pulled in transitively via @nestjs's dependency chain; nothing in our code
# imports it directly. Re-check when 4.18.0 is actually published.
CVE-2026-4800
