From 86960493e9cbd06ed76a7eccf92befcde7dbd9e8 Mon Sep 17 00:00:00 2001
From: Harold Ship <harold@il.ibm.com>
Date: Sun, 7 Jun 2026 14:43:27 +0300
Subject: [PATCH 1/2] fix(ci): ignore CVE-2026-47214 in pip-audit pending
 langchain-docling fix

docling is pinned to <2.92 because langchain-docling 2.0.0 doesn't yet
support the slim package layout introduced in 2.92, so we can't take the
2.94.0 fix for this CVE without breaking the integration. Ignore it in CI
for now per the short-term workaround in #45, with a comment pointing back
to the issue and the version pin.
---
 .github/workflows/ci.yml | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 1c9ed10..ee49ea1 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -97,4 +97,7 @@ jobs:
       - name: bandit
         run: uv run bandit -c pyproject.toml -r benchmarks scripts -ll
       - name: pip-audit
-        run: uv run pip-audit --skip-editable --ignore-vuln GHSA-r7w7-9xr2-qq2r
+        # CVE-2026-47214 (docling 2.91.0, fixed in 2.94.0) is ignored because docling is
+        # pinned to <2.92 until langchain-docling supports the newer "slim" docling layout.
+        # See https://github.com/cuga-project/cuga-eval/issues/45.
+        run: uv run pip-audit --skip-editable --ignore-vuln GHSA-r7w7-9xr2-qq2r --ignore-vuln CVE-2026-47214

From 783777b0c3668f99868b06eee31b4a0ec9e7af12 Mon Sep 17 00:00:00 2001
From: Harold Ship <harold@il.ibm.com>
Date: Sun, 7 Jun 2026 14:53:08 +0300
Subject: [PATCH 2/2] fix(ci): align local just security target with CI
 pip-audit ignores

The justfile's security target was missing the new CVE-2026-47214 ignore,
so just security and the CI pip-audit step would diverge. Mirror the CI
flags and document the reason, matching the existing GHSA comment style.
---
 justfile | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/justfile b/justfile
index 93f0f63..f5e20c6 100644
--- a/justfile
+++ b/justfile
@@ -32,9 +32,11 @@ test-stability:
 # --skip-editable: cuga and appworld are editable path installs not on PyPI.
 # --ignore-vuln GHSA-r7w7-9xr2-qq2r: langchain-openai is pinned to 1.1.10 by
 #   cuga-agent's transitive constraints. Track the upstream bump separately.
+# --ignore-vuln CVE-2026-47214: docling is pinned to <2.92 until langchain-docling
+#   supports the newer "slim" docling layout. See issue #45.
 security:
     uv run bandit -c pyproject.toml -r benchmarks scripts -ll
-    uv run pip-audit --skip-editable --ignore-vuln GHSA-r7w7-9xr2-qq2r
+    uv run pip-audit --skip-editable --ignore-vuln GHSA-r7w7-9xr2-qq2r --ignore-vuln CVE-2026-47214
 
 # Composite gate matching what CI runs.
 ci: lint test-regression security