From d5514549bd38ae05724cfffb299c265229f4951f Mon Sep 17 00:00:00 2001 From: "TEAM 4.0[bot]" Date: Wed, 25 Mar 2026 07:35:10 +0000 Subject: [PATCH 1/3] Update `pre-commit` hooks --- .pre-commit-config.yaml | 4 ++-- {{ cookiecutter.project_slug }}/.pre-commit-config.yaml | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index b1df9c9..857411c 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -43,7 +43,7 @@ repos: # More information can be found in its source repository: # https://github.com/DavidAnson/markdownlint-cli2 - repo: https://github.com/DavidAnson/markdownlint-cli2 - rev: v0.21.0 + rev: v0.22.0 hooks: - id: markdownlint-cli2 name: markdownlint @@ -81,7 +81,7 @@ repos: # More information can be found in its documentation: # https://docs.astral.sh/ruff/ - repo: https://github.com/astral-sh/ruff-pre-commit - rev: v0.15.6 + rev: v0.15.7 hooks: - id: ruff-check name: ruff diff --git a/{{ cookiecutter.project_slug }}/.pre-commit-config.yaml b/{{ cookiecutter.project_slug }}/.pre-commit-config.yaml index b71373c..c899794 100644 --- a/{{ cookiecutter.project_slug }}/.pre-commit-config.yaml +++ b/{{ cookiecutter.project_slug }}/.pre-commit-config.yaml @@ -48,7 +48,7 @@ repos: # More information can be found in its source repository: # https://github.com/DavidAnson/markdownlint-cli2 - repo: https://github.com/DavidAnson/markdownlint-cli2 - rev: v0.21.0 + rev: v0.22.0 hooks: - id: markdownlint-cli2 name: markdownlint @@ -84,7 +84,7 @@ repos: # More information can be found in its documentation: # https://docs.astral.sh/ruff/ - repo: https://github.com/astral-sh/ruff-pre-commit - rev: v0.15.6 + rev: v0.15.7 hooks: - id: ruff-check name: ruff From 5f884aa91a9dc82179da07f9a0712c51c2d2f16b Mon Sep 17 00:00:00 2001 From: Casper Welzel Andersen Date: Wed, 25 Mar 2026 09:06:29 +0100 Subject: [PATCH 2/3] Ignore irrelevant pygments security warning --- .github/workflows/ci_tests.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.github/workflows/ci_tests.yml b/.github/workflows/ci_tests.yml index d4bc7ac..1996caa 100644 --- a/.github/workflows/ci_tests.yml +++ b/.github/workflows/ci_tests.yml @@ -67,8 +67,13 @@ jobs: # DiskCache (python-diskcache) through 5.6.3 uses Python pickle for serialization by default. # An attacker with write access to the cache directory can achieve arbitrary code execution # when a victim application reads from the cache. + # CVE-2026-4539: pygments 2.19.2 + # A security flaw has been discovered in pygments up to 2.19.2. The impacted element is the + # function AdlLexer of the file pygments/lexers/archetype.py. The manipulation results in + # inefficient regular expression complexity. The attack is only possible with local access. ignore-vulns: | CVE-2025-69872 + CVE-2026-4539 - name: Build docs run: mkdocs build --strict From 3f41bdc363aea3f49de51a32038911f14ec30dd4 Mon Sep 17 00:00:00 2001 From: Casper Welzel Andersen Date: Wed, 25 Mar 2026 09:08:00 +0100 Subject: [PATCH 3/3] Also ignore for the separate pip-audit job --- .github/workflows/ci_tests.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/.github/workflows/ci_tests.yml b/.github/workflows/ci_tests.yml index 1996caa..155bcde 100644 --- a/.github/workflows/ci_tests.yml +++ b/.github/workflows/ci_tests.yml @@ -107,3 +107,9 @@ jobs: uses: pypa/gh-action-pip-audit@v1.1.0 with: inputs: ${{ github.workspace }}/requirements.txt ${{ github.workspace }}/.github/utils/requirements.txt + # CVE-2026-4539: pygments 2.19.2 + # A security flaw has been discovered in pygments up to 2.19.2. The impacted element is the + # function AdlLexer of the file pygments/lexers/archetype.py. The manipulation results in + # inefficient regular expression complexity. The attack is only possible with local access. + ignore-vulns: | + CVE-2026-4539