fix(security): handle unfixable pygments CVE-2026-4539 in CI scans#359
fix(security): handle unfixable pygments CVE-2026-4539 in CI scans#359JacobPEvans wants to merge 2 commits intomainfrom
Conversation
Add .osv-scanner.toml to acknowledge GHSA-5239-wwwm-4pmq (pygments ReDoS in AdlLexer) which has no upstream fix. Pass ignore-vulns to pip-audit reusable workflow for the same CVE. Depends on: JacobPEvans/.github#139 (claude)
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request introduces an .osv-scanner.toml configuration file to ignore a specific ReDoS vulnerability in the pygments library (GHSA-5239-wwwm-4pmq) for which no upstream fix is currently available. I have no feedback to provide.
Reference _python-security.yml from fix/pip-audit-ignore-vulns branch which accepts the ignore-vulns input. Revert to @main after JacobPEvans/.github#139 merges. (claude)
There was a problem hiding this comment.
Pull request overview
This PR adjusts repository security scanning configuration to accommodate an upstream-unfixed Pygments vulnerability so CI/dependency update PRs can proceed.
Changes:
- Add an OSV Scanner ignore entry for GHSA-5239-wwwm-4pmq / CVE-2026-4539 via
.osv-scanner.toml. - Pass
ignore-vulns: 'CVE-2026-4539'into the reusablepip-audit/Python security workflow in CI.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
.osv-scanner.toml |
Introduces an OSV Scanner ignore for the unfixed Pygments GHSA/CVE with a documented reason. |
.github/workflows/ci-gate.yml |
Adds an ignore-vulns input so Python security scanning can ignore CVE-2026-4539 in CI. |
| # Only list CVEs with NO fix version available. Remove entries once upstream releases a fix. | ||
| # See: https://google.github.io/osv-scanner/configuration/ | ||
|
|
||
| [[IgnoredVulns]] | ||
| id = "GHSA-5239-wwwm-4pmq" |
There was a problem hiding this comment.
The header comment says to only list CVEs, but this entry is identified by a GHSA ID ("GHSA-5239-wwwm-4pmq"). Update the comment to reflect that the id field may be a GHSA/OSV identifier (or, if OSV Scanner supports it here, switch the id to the CVE so the guidance matches the config).
|
Superseded — combining CI fixes with dependabot PR #346 instead to avoid bootstrapping problem. |
Summary
.osv-scanner.tomlto acknowledge GHSA-5239-wwwm-4pmq (pygments <=2.19.2 ReDoS in AdlLexer, CVE-2026-4539) — no fix released upstreamignore-vulns: 'CVE-2026-4539'to pip-audit reusable workflow for the same CVEDependencies
ignore-vulnsinput to take effect in pip-auditTest plan
.osv-scanner.tomlin place.githubPR fix: set cleanupPeriodDays to 30 (upstream default) #139 is mergedGenerated with Claude Code