Skip to content

Commit 454201b

Browse files
tsvikastsvikas
committed
📦🔒️ Ignore known pip vulnerability in security audits
Add --ignore-vuln flag for GHSA-4xh5-x5gv-qwph across all pip-audit commands in CI workflows and justfile. This vulnerability affects pip itself (not a pinned requirement) and is already fixed in recent Python versions.
1 parent 50a8df9 commit 454201b

3 files changed

Lines changed: 24 additions & 3 deletions

File tree

project_name/.github/workflows/ci.yml.jinja

Lines changed: 9 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -90,7 +90,15 @@ jobs:
9090
- name: Run deptry
9191
run: uv run --no-sync --with deptry deptry src/
9292
- name: Run pip-audit
93-
run: uv run --no-sync --with pip-audit pip-audit --skip-editable
93+
run: >-
94+
uv run --no-sync --with pip-audit pip-audit --skip-editable
95+
--ignore-vuln GHSA-4xh5-x5gv-qwph
96+
# pip-audit ignored vuln:
97+
# GHSA-4xh5-x5gv-qwph:
98+
# vuln is in pip, which is not a pinned requirwement
99+
# vuln is fixed in recent python versions
100+
# see https://github.com/pypa/pip/issues/13607
101+
94102

95103
test:
96104
strategy:

project_name/.github/workflows/weekly-ci.yml.jinja

Lines changed: 8 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -101,7 +101,14 @@ jobs:
101101
- name: List packages
102102
run: uv pip list
103103
- name: Run pip-audit
104-
run: uv run --no-sync --with pip-audit pip-audit --skip-editable
104+
run: >-
105+
uv run --no-sync --with pip-audit pip-audit --skip-editable
106+
--ignore-vuln GHSA-4xh5-x5gv-qwph
107+
# pip-audit ignored vuln:
108+
# GHSA-4xh5-x5gv-qwph:
109+
# vuln is in pip, which is not a pinned requirwement
110+
# vuln is fixed in recent python versions
111+
# see https://github.com/pypa/pip/issues/13607
105112
- name: Create failure issue
106113
if: failure()
107114
uses: actions/github-script@v8

project_name/justfile.jinja

Lines changed: 7 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -81,7 +81,13 @@ lint:
8181
uv run ruff check
8282
uv run dmypy run
8383
uv run --all-extras --all-groups --with deptry deptry src/
84-
uv run --all-extras --all-groups --with pip-audit pip-audit --skip-editable
84+
uv run --all-extras --all-groups --with pip-audit pip-audit --skip-editable \
85+
--ignore-vuln GHSA-4xh5-x5gv-qwph
86+
# pip-audit ignored vuln:
87+
# GHSA-4xh5-x5gv-qwph:
88+
# vuln is in pip, which is not a pinned requirwement
89+
# vuln is fixed in recent python versions
90+
# see https://github.com/pypa/pip/issues/13607
8591
uv run pre-commit run --all-files
8692

8793
# Run Pylint (slow, not used in other tasks)

0 commit comments

Comments
 (0)