Skip to content

Commit a8c4683

Browse files
kutcodeclaude
andcommitted
Upgrade pip in CI to fix CVE-2026-6357 and CVE-2026-3219
Both pip CVEs are addressed in 26.1, so pinning >=26.1 is a real fix rather than an ignore. Drops the CVE-2026-3219 ignore; keeps the transformers ignore since there is still no non-RC release. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
1 parent 87d867c commit a8c4683

1 file changed

Lines changed: 4 additions & 2 deletions

File tree

.github/workflows/ci.yml

Lines changed: 4 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -37,10 +37,12 @@ jobs:
3737
run: pytest
3838
- name: Security scan with pip-audit
3939
run: |
40+
# Pin pip to a version that fixes its own published CVEs
41+
# (CVE-2026-3219, CVE-2026-6357 are both addressed in 26.1+).
42+
pip install --upgrade 'pip>=26.1'
4043
pip install pip-audit==2.10.0
4144
# CVE-2026-1839: transformers, no non-RC fix available upstream.
42-
# CVE-2026-3219: pip itself, no fix version published yet.
43-
pip-audit --ignore-vuln CVE-2026-1839 --ignore-vuln CVE-2026-3219
45+
pip-audit --ignore-vuln CVE-2026-1839
4446
4547
frontend:
4648
runs-on: ubuntu-latest

0 commit comments

Comments
 (0)