From f9501e30ca38b129dd83a820900bef1f40f89241 Mon Sep 17 00:00:00 2001 From: Brian McMahon Date: Wed, 20 May 2026 10:43:03 -0700 Subject: [PATCH] chore(ci): ignore disputed PYSEC-2025-183 in pip-audit MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit PyJWT 2.12.1 (current latest) is flagged by PYSEC-2025-183 for not enforcing a minimum HMAC key length. Upstream disputes the advisory ("the key length is chosen by the application that uses the library") and no patched version exists. mnemon's only pyjwt use is `src/mnemon/oauth_as.py`, which signs/verifies with RS256 against a 2048-bit RSA keypair — algorithm hard-locked, no HS-allowance — so the advisory describes no condition that applies here. Adds `--ignore-vuln PYSEC-2025-183` with the rationale inline next to the existing workflow comment that prescribes this exact pattern for no-fix advisories. Daily scheduled run on main went green-then- red on 2026-05-20 as the advisory landed in the OSV database; this restores the workflow without weakening the audit (any new advisory on any dep still fails it). Co-Authored-By: Claude Opus 4.7 (1M context) --- .github/workflows/pip-audit.yml | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/.github/workflows/pip-audit.yml b/.github/workflows/pip-audit.yml index 3dbd440..d01088c 100644 --- a/.github/workflows/pip-audit.yml +++ b/.github/workflows/pip-audit.yml @@ -35,4 +35,16 @@ jobs: # in a runtime/dev dep fails the workflow. If a transitive dep # has no fix available, file an upstream issue + add # `--ignore-vuln ` here with a comment explaining why. - run: pip-audit --strict . + # + # Ignored advisories: + # + # PYSEC-2025-183 (pyjwt, 0.1.1–2.12.1, no fix release): flags + # that pyjwt does not enforce a minimum HMAC key length. + # Disputed by upstream ("the key length is chosen by the + # application that uses the library") — there is no patched + # version to upgrade to. mnemon's only pyjwt use is in + # `src/mnemon/oauth_as.py`, which signs/verifies with RS256 + # against a 2048-bit RSA keypair (algorithm hard-locked, no + # HS-allowance). The advisory describes no condition that + # applies to this usage. + run: pip-audit --strict --ignore-vuln PYSEC-2025-183 .