Skip to content

ci: ignore disputed pyjwt CVE PYSEC-2025-183 in quality gate#52

Merged
szjanikowski merged 1 commit into
mainfrom
fix/cve-audit-pyjwt-disputed
May 21, 2026
Merged

ci: ignore disputed pyjwt CVE PYSEC-2025-183 in quality gate#52
szjanikowski merged 1 commit into
mainfrom
fix/cve-audit-pyjwt-disputed

Conversation

@szjanikowski
Copy link
Copy Markdown
Contributor

@szjanikowski szjanikowski commented May 21, 2026

Summary

  • CVE audit on `main` started failing because pip-audit found PYSEC-2025-183 / CVE-2025-45768 against pyjwt 2.12.1.
  • The advisory is disputed by the upstream maintainer (key length is the calling application's responsibility), there is no fix release (2.12.1 is the latest pyjwt), and pyjwt only enters our tree transitively via `harbor → supabase-auth / mcp` — we can't upgrade past it.
  • Add a surgical `--ignore-vuln PYSEC-2025-183` so `pip-audit --strict` still hard-fails on every other CVE, with a comment explaining why and a pointer to revisit if upstream ever ships a fix.

Test plan

  • Quality Gate / CVE audit (pip-audit) passes on this PR
  • Verified locally with the same export pipeline: `No known vulnerabilities found, 1 ignored`

ci(quality-gate): ignore disputed pyjwt CVE PYSEC-2025-183
cb1cd97 
CVE-2025-45768 / PYSEC-2025-183 is a disputed advisory against pyjwt with
no fix release (2.12.1 is latest). The upstream maintainer rejects the
classification — the alleged weak-key behavior is the calling application's
responsibility, not the library's. pyjwt only enters our tree transitively
via harbor → supabase-auth / mcp, so we cannot upgrade past it.

Ignore the specific advisory ID so pip-audit still hard-fails on every
other CVE under --strict.
@szjanikowski szjanikowski merged commit a484c77 into main May 21, 2026
9 checks passed
@szjanikowski szjanikowski deleted the fix/cve-audit-pyjwt-disputed branch May 21, 2026 10:03
@szjanikowski szjanikowski mentioned this pull request May 21, 2026
Merged
7 tasks
szjanikowski added a commit that referenced this pull request May 21, 2026
@szjanikowski @claude
chore: release v0.4.0 (#53)
92c16b2 
Promote the [Unreleased] section to [0.4.0] (2026-05-21), add fresh
[Unreleased] anchor, update compare links, and cite #51 / #52 inline
plus in the link-ref table.

Highlights:
- [nasde.plugin] in task.toml — ship a local Claude Code plugin into
  the sandbox with one declaration (ADR-009). (#51)
- Skill-by-reference: [[skill]] array in variant.toml. (#51)
- Fix: variants/<v>/skills/<name>/ now carries references/ and sibling
  files, not just SKILL.md. (#51)
- Security pins: idna>=3.15, urllib3>=2.7.0. (#51)
- CI: pip-audit ignores disputed pyjwt PYSEC-2025-183. (#52)

Co-authored-by: Szymon Janikowski <szymon.janikowski@itlibrium.com>
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@szjanikowski