chore(env): update CVE exclusions for security compliance

mrz1836 · mrz1836 · commit eec0e19fb9fc · 2026-04-06T11:09:29.000-04:00
diff --git a/.github/env/90-project.env b/.github/env/90-project.env
@@ -163,11 +163,6 @@ MAGE_X_FUZZ_MIN_TIMEOUT=120s
 # Maximum timeout cap (aligns with MAGE_X_TEST_TIMEOUT to prevent runaway tests)
 MAGE_X_FUZZ_MAX_TIMEOUT=30m
 
-# GO-2026-4514: buger/jsonparser Delete function is never called by go-broadcast
-# (wk8/go-ordered-map only uses ObjectEach - govulncheck exits 0 locally)
-# No fix available upstream; this is an import-level finding, not symbol-level
-MAGE_X_CVE_EXCLUDES=GO-2026-4514
-
 # ================================================================================================
 # 🔒 SECURITY OVERRIDES
 # ================================================================================================
@@ -176,7 +171,7 @@ MAGE_X_CVE_EXCLUDES=GO-2026-4514
 GITLEAKS_CONFIG_FILE=.github/.gitleaks.toml
 
 # Nancy CVE Exclusions (known acceptable vulnerabilities)
-NANCY_EXCLUDES=CVE-2026-32285
+NANCY_EXCLUDES=CVE-2026-32285,CVE-2026-34986
 
 # Govulncheck/Magex CVE Exclusions
-MAGE_X_CVE_EXCLUDES=CVE-2026-32285
+MAGE_X_CVE_EXCLUDES=CVE-2026-32285,GO-2026-4514
