# Snyk (https://snyk.io) policy file

version: v1.25.0

# ==============================================================================
# JAVA 17 PLATFORM
# ==============================================================================
#
# MockServer targets Java 17 as the minimum supported runtime (see AGENTS.md and
# docs/operations/security.md). The 6.x Jakarta EE 10 / Spring 7 modernisation
# moved the dependency stack onto current, actively-patched major lines:
#
#   - Spring Framework 5.3.x -> 7.x
#   - Spring Boot 2.7.x -> 4.x
#   - Jetty 9.4.x -> 12.x
#   - Tomcat embed 9 -> 11, Jersey 3.1 -> 4
#
# The Java-11-era ignores (which suppressed ~20 Spring/Jetty/Boot/OkHttp/Reactor
# CVEs whose only fix required Java 17+) have been REMOVED: the vulnerable
# versions they referenced are no longer in the dependency tree, so the ignores
# were inert and their stated rationale ("MockServer targets Java 11") was no
# longer true. Vulnerabilities are now resolved through normal upgrades; add a
# new, dated ignore here only when a deliberate constraint genuinely blocks a fix
# and document the reason and review date.
# ==============================================================================

ignore: {}

# Patch rules
patch: {}

# Exclusion rules for paths that should not be scanned
exclude:
  # Exclude example projects - these are for demonstration only and not shipped in production
  mockserver-examples:
    - '**'
