ci: audit runtime deps only, bump idna to 3.15#26
Merged
Conversation
CI's `Audit dependencies` step was running `uv run pip-audit` against the full venv. It found vulnerabilities in pip itself (CVE-2026-3219, CVE-2026-6357) and in pip-audit's own transitive deps (urllib3 PYSEC-2026-141 and -142). Neither of those reaches the wheels users install. With `continue-on-error: true` it didn't block the workflow, but the red output was misleading. Mirror the runtime-only audit pattern publish.yml has used since #24: export the runtime closure with `uv export --no-dev --no-emit-project` and run pip-audit against that file. This drops the CI-tooling noise. The runtime closure still had one real vulnerability: `idna 3.11` (CVE-2026-45409, fix in 3.15), pulled transitively through `httpx`/`anyio`. Bump it in uv.lock to 3.15. Locally `pip-audit -r runtime-requirements.txt` now reports "No known vulnerabilities found". With the noise gone, drop `continue-on-error: true` so audit becomes a hard gate consistent with publish.yml.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
The
Audit dependenciesstep inci.ymlwas runninguv run pip-auditagainst the full venv, which flagged:idna 3.11(CVE-2026-45409, fix 3.15) — real, in our runtime closure (pulled viahttpx/anyio).pip 26.0.1(CVE-2026-3219, CVE-2026-6357, fix 26.1) — installer, not shipped to users.urllib3 2.6.3(PYSEC-2026-141, PYSEC-2026-142, fix 2.7.0) — pip-audit's own transitive dep viarequests, not in our runtime closure.continue-on-error: truewas hiding the noise rather than fixing it.This PR:
publish.yml(ci: audit runtime deps only in publish workflow #24): export the runtime closure withuv export --no-dev --no-emit-project --no-hashesand runpip-audit -ragainst that file. Drops the CI-tooling noise (pip, urllib3).idnainuv.lockfrom 3.11 to 3.15 to clear the only real runtime vulnerability.continue-on-error: truefrom the audit step. With noise gone and the real CVE patched, this becomes a hard gate consistent with publish.Test plan
uv export --no-dev --no-emit-project --no-hashes -o /tmp/runtime-requirements.txt && uv run pip-audit -r /tmp/runtime-requirements.txtlocally returnsNo known vulnerabilities found.uv run pytest -qpasses 482 tests, coverage 95.76%.Audit runtime dependenciesstep across 3.11/3.12/3.13.