From cb1cd97f57c7ca639464b77f0fd4c1c7cea2ac49 Mon Sep 17 00:00:00 2001 From: Szymon Janikowski Date: Thu, 21 May 2026 12:01:25 +0200 Subject: [PATCH] ci(quality-gate): ignore disputed pyjwt CVE PYSEC-2025-183 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit CVE-2025-45768 / PYSEC-2025-183 is a disputed advisory against pyjwt with no fix release (2.12.1 is latest). The upstream maintainer rejects the classification — the alleged weak-key behavior is the calling application's responsibility, not the library's. pyjwt only enters our tree transitively via harbor → supabase-auth / mcp, so we cannot upgrade past it. Ignore the specific advisory ID so pip-audit still hard-fails on every other CVE under --strict. --- .github/workflows/quality-gate.yml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/.github/workflows/quality-gate.yml b/.github/workflows/quality-gate.yml index 14dfab7..0f5b028 100644 --- a/.github/workflows/quality-gate.yml +++ b/.github/workflows/quality-gate.yml @@ -100,4 +100,8 @@ jobs: > requirements.txt - name: Run pip-audit - run: uvx --with pip pip-audit -r requirements.txt --strict + # PYSEC-2025-183 (CVE-2025-45768): disputed advisory against pyjwt — upstream + # rejects the classification (key length is the application's responsibility), + # there is no fix release (2.12.1 is latest), and pyjwt is only a transitive + # dep via harbor → supabase-auth / mcp. Revisit if upstream ever ships a fix. + run: uvx --with pip pip-audit -r requirements.txt --strict --ignore-vuln PYSEC-2025-183