File tree Expand file tree Collapse file tree
Expand file tree Collapse file tree Original file line number Diff line number Diff line change @@ -15,6 +15,11 @@ defmodule Transport.MixProject do
1515 # Untrusted markdown is already sanitized via HtmlSanitizeEx, so the real risk is low.
1616 # - decimal: DoS fixed only in decimal 3.x, blocked by deps still pinning ~> 2.0 (ecto etc.).
1717 # Revisit once the ecosystem allows decimal 3.x; check for untrusted decimal parsing meanwhile.
18+ # - cowlib: 2 CRLF-injection advisories, no released fix (2.18.0 is latest under cowboy 2.17),
19+ # but a patch is in progress upstream. Only exploitable if untrusted data reaches response
20+ # headers/cookies, which app code doesn't do. Tracking:
21+ # https://github.com/ninenines/cowlib/issues/152 (EEF-CVE-2026-43969, cookie injection)
22+ # https://osv.dev/vulnerability/EEF-CVE-2026-43966 (response splitting)
1823 ignore_advisories: [
1924 # hackney (upgrade to 4.x)
2025 "EEF-CVE-2026-47069" ,
@@ -24,7 +29,10 @@ defmodule Transport.MixProject do
2429 # earmark stored XSS (migrate to MDEx)
2530 "EEF-CVE-2026-48591" ,
2631 # decimal DoS (fix needs 3.x, blocked by ecosystem)
27- "EEF-CVE-2026-32686"
32+ "EEF-CVE-2026-32686" ,
33+ # cowlib injection (no fix published yet)
34+ "EEF-CVE-2026-43966" ,
35+ "EEF-CVE-2026-43969"
2836 ] ,
2937 # earmark is retired (unmaintained); acknowledged until the MDEx migration above.
3038 ignore_retirements: [ :earmark ]
You can’t perform that action at this time.
0 commit comments