fix(deps): patch gitpython, langchain-core; ignore unpatched paramiko CVE

This commit is contained in:
Greyson LaLonde
2026-05-11 22:31:56 +08:00
committed by GitHub
parent e4a91cdc0c
commit b0d4dd256d
4 changed files with 32 additions and 16 deletions

View File

@@ -46,9 +46,11 @@ jobs:
- name: Run pip-audit
run: |
uv run pip-audit --desc --aliases --skip-editable --format json --output pip-audit-report.json \
--ignore-vuln CVE-2026-3219
--ignore-vuln CVE-2026-3219 \
--ignore-vuln GHSA-r374-rxx8-8654
# Ignored CVEs:
# CVE-2026-3219 - pip 26.0.1 (GHSA-58qw-9mgm-455v): no fix available, archive handling issue
# CVE-2026-3219 - pip 26.0.1 (GHSA-58qw-9mgm-455v): no fix available, archive handling issue
# GHSA-r374-rxx8-8654 - paramiko 4.0.0 (SHA-1 in rsakey.py): no fix available; transitive via composio-core
continue-on-error: true
- name: Display results