mirror of
https://github.com/crewAIInc/crewAI.git
synced 2026-07-01 13:18:10 +00:00
New vulnerability scan process: 1. Run pip-audit without ignores on every PR 2. Classify vulns as direct or transitive (checks against all monorepo pyproject.toml files) 3. Direct vulns: auto-fix with pip-audit --fix and commit the bump to the PR branch 4. Transitive vulns: add to ignore list and create a GitHub issue for tracking 5. Re-run pip-audit with transitive ignores — PR passes only if direct vulns are resolved 6. Scheduled runs also validate that previously ignored vulns are still unfixable Removes continue-on-error: true so the action actually blocks.