# temporary allowlist (put GHSA/CVE here; add expiry + issue links)
