Skip to content

Commit eed500d

Browse files
committed
Bypass cowlib warnings for now
1 parent 84e2ce6 commit eed500d

1 file changed

Lines changed: 9 additions & 1 deletion

File tree

mix.exs

Lines changed: 9 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -15,6 +15,11 @@ defmodule Transport.MixProject do
1515
# Untrusted markdown is already sanitized via HtmlSanitizeEx, so the real risk is low.
1616
# - decimal: DoS fixed only in decimal 3.x, blocked by deps still pinning ~> 2.0 (ecto etc.).
1717
# Revisit once the ecosystem allows decimal 3.x; check for untrusted decimal parsing meanwhile.
18+
# - cowlib: 2 CRLF-injection advisories, no released fix (2.18.0 is latest under cowboy 2.17),
19+
# but a patch is in progress upstream. Only exploitable if untrusted data reaches response
20+
# headers/cookies, which app code doesn't do. Tracking:
21+
# https://github.com/ninenines/cowlib/issues/152 (EEF-CVE-2026-43969, cookie injection)
22+
# https://osv.dev/vulnerability/EEF-CVE-2026-43966 (response splitting)
1823
ignore_advisories: [
1924
# hackney (upgrade to 4.x)
2025
"EEF-CVE-2026-47069",
@@ -24,7 +29,10 @@ defmodule Transport.MixProject do
2429
# earmark stored XSS (migrate to MDEx)
2530
"EEF-CVE-2026-48591",
2631
# decimal DoS (fix needs 3.x, blocked by ecosystem)
27-
"EEF-CVE-2026-32686"
32+
"EEF-CVE-2026-32686",
33+
# cowlib injection (no fix published yet)
34+
"EEF-CVE-2026-43966",
35+
"EEF-CVE-2026-43969"
2836
],
2937
# earmark is retired (unmaintained); acknowledged until the MDEx migration above.
3038
ignore_retirements: [:earmark]

0 commit comments

Comments
 (0)