Skip to content

fix(ci): remove stale vulnerability ignores — all CVEs now fixed upstream#148

Merged
JacobPEvans merged 1 commit intomainfrom
fix/remove-stale-ignores
Mar 29, 2026
Merged

fix(ci): remove stale vulnerability ignores — all CVEs now fixed upstream#148
JacobPEvans merged 1 commit intomainfrom
fix/remove-stale-ignores

Conversation

@JacobPEvans
Copy link
Copy Markdown
Owner

@JacobPEvans JacobPEvans commented Mar 29, 2026

Summary

Files Changed

  • .github/workflows/_python-security.yml — remove pygments CVE ignore flag and associated comments; uvx pip-audit command is now clean
  • osv-scanner.toml — remove all 5 stale [[IgnoredVulns]] entries; keep file with header comment only (required for _osv-scan.yml fallback mechanism)

Test plan

  • Verify CI passes on this PR (pip-audit and OSV scanner run clean against current dependency versions)
  • Confirm no new CVE alerts fire (all addressed packages are at patched versions)

🤖 Generated with Claude Code

@JacobPEvans
fix(ci): remove stale vulnerability ignores — all CVEs now fixed upst…
1d63378 
…ream

- pygments 2.20.0 (released 2026-03-29) fixes CVE-2026-4539 (GHSA-5239-wwwm-4pmq);
  remove --ignore-vuln flag from _python-security.yml pip-audit command
- nltk 3.9.4 fixes GHSA-jm6w-m3j8-898g, GHSA-rf74-v2fm-23pw, GHSA-gfwx-w7gr-fvh7;
  already upgraded, advisory DB entries now stale
- requests 2.33.0 fixes GHSA-gc5v-m9x4-r6x2; already upgraded
- osv-scanner.toml now contains only the header comment block (no active ignores)

(claude)
Copilot AI review requested due to automatic review settings March 29, 2026 17:06
@gemini-code-assist
Copy link
Copy Markdown

gemini-code-assist bot commented Mar 29, 2026

Summary of Changes

Hello, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request cleans up security configuration files by removing outdated vulnerability ignore rules. With recent upstream dependency updates, these previously ignored CVEs are now resolved, allowing for a cleaner and more secure CI environment.

Highlights

  • Dependency Security Cleanup: Removed stale vulnerability ignore entries from osv-scanner.toml and the pip-audit configuration, as all underlying packages have been updated to patched versions.
  • Configuration Simplification: Cleaned up the osv-scanner.toml file to remove all ignored CVE entries, leaving only the required header documentation.
Ignored Files
  • Ignored by pattern: .github/workflows/** (1)
    • .github/workflows/_python-security.yml
Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature Command Description
Code Review /gemini review Performs a code review for the current pull request in its current state.
Pull Request Summary /gemini summary Provides a summary of the current pull request in its current state.
Comment @gemini-code-assist Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help /gemini help Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here.

The vulnerabilities are gone at last, / The stale ignores are in the past. / With versions new and patches applied, / Our code is safe and fortified.

Footnotes

  1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution.

@JacobPEvans JacobPEvans merged commit c348243 into main Mar 29, 2026
4 checks passed
Copilot AI reviewed Mar 29, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR removes now-unnecessary vulnerability ignore configuration from the org-wide security scanning setup after upstream fixes landed, keeping CI enforcement strict and up-to-date.

Changes:

  • Removed the --ignore-vuln exception (and related comment block) from the reusable pip-audit workflow.
  • Cleared all stale [[IgnoredVulns]] entries from the central osv-scanner.toml, leaving only the header comments.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File Description
.github/workflows/_python-security.yml Stops suppressing a previously-unpatched GHSA in pip-audit, so the audit runs cleanly without exceptions.
osv-scanner.toml Removes stale OSV ignore entries while retaining the central config file for inherited scanning behavior.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@JacobPEvans