cuga-project · Sergey-Zeltyn · Jun 8, 2026 · Jun 7, 2026 · Jun 7, 2026
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -97,4 +97,7 @@ jobs:
       - name: bandit
         run: uv run bandit -c pyproject.toml -r benchmarks scripts -ll
       - name: pip-audit
-        run: uv run pip-audit --skip-editable --ignore-vuln GHSA-r7w7-9xr2-qq2r
+        # CVE-2026-47214 (docling 2.91.0, fixed in 2.94.0) is ignored because docling is
+        # pinned to <2.92 until langchain-docling supports the newer "slim" docling layout.
+        # See https://github.com/cuga-project/cuga-eval/issues/45.
+        run: uv run pip-audit --skip-editable --ignore-vuln GHSA-r7w7-9xr2-qq2r --ignore-vuln CVE-2026-47214
diff --git a/justfile b/justfile
@@ -32,9 +32,11 @@ test-stability:
 # --skip-editable: cuga and appworld are editable path installs not on PyPI.
 # --ignore-vuln GHSA-r7w7-9xr2-qq2r: langchain-openai is pinned to 1.1.10 by
 #   cuga-agent's transitive constraints. Track the upstream bump separately.
+# --ignore-vuln CVE-2026-47214: docling is pinned to <2.92 until langchain-docling
+#   supports the newer "slim" docling layout. See issue #45.
 security:
     uv run bandit -c pyproject.toml -r benchmarks scripts -ll
-    uv run pip-audit --skip-editable --ignore-vuln GHSA-r7w7-9xr2-qq2r
+    uv run pip-audit --skip-editable --ignore-vuln GHSA-r7w7-9xr2-qq2r --ignore-vuln CVE-2026-47214
 
 # Composite gate matching what CI runs.
 ci: lint test-regression security