[security] Ignore GHSA-4xh5-x5gv-qwph from pip

The vulnerability `GHSA-4xh5-x5gv-qwph` is now affecting pip 25.2 as well but
there is still no fix for it. Hence, it needs to be tolerated for now.

Author: jannowotsch

SECURITY.md

@@ -57,6 +57,8 @@ The following table lists all known vulnerabilities that could not be fixed:
 | ---------- | ------------------- | ------------------ | ------------- | -------------- | ------------------------------------ |
 | urllib3    | GHSA-48p4-8xcf-vxj5 | 2.2.3              | 2.5.0         | 3.8            | Fixed package requires Python >= 3.9 |
 | urllib3    | GHSA-pq67-6m6q-mj2v | 2.2.3              | 2.5.0         | 3.8            | Fixed package requires Python >= 3.9 |
+| pip        | GHSA-4xh5-x5gv-qwph | 25.0.1             | 25.2          | 3.8            | Fixed package requires Python >= 3.9 |
+| pip        | GHSA-4xh5-x5gv-qwph | 25.2               | -             | All            | Waiting for an open source fix       |
 
 ### Vulnerable Python Versions
 

third_party/pip/BUILD

@@ -50,6 +50,12 @@ EXTRA_ARGS = [
 [
     pip_audit_rule(
         name = "pip_audit_requirements_{}".format(version.replace(".", "_")),
+        # The list of ignored vulnerabilities should ideally be empty, but sometimes a certain vulnerability
+        # does not have a fix yet. In that case, we ignore it with `--ignore-vul` to avoid CI failures.
+        # Keep this in sync with SECURITY.md.
+        ignore_vulnerability = [
+            "GHSA-4xh5-x5gv-qwph",  # Added because there is no fix yet for pip 25.2.
+        ],
         requirement = "requirements_lock_{}.txt".format(version.replace(".", "_")),
     )
     for version in PYTHON_VERSIONS