From b57b749202f0ef899d09a08dd81785fd170caf4f Mon Sep 17 00:00:00 2001 From: Andriy Lysyuk Date: Wed, 25 Mar 2026 15:10:01 +0100 Subject: [PATCH 1/2] fix(security): risk-accept pygments ReDoS GHSA-5239-wwwm-4pmq (ENG-13216) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - pygments 2.19.2 → risk-accepted (GHSA-5239-wwwm-4pmq, CVSS 3.3 LOW) No fix available — 2.19.2 is latest and marked last_affected. ignoreUntil: 2026-06-23 Co-Authored-By: Claude Sonnet 4.6 --- osv-scanner.toml | 4 ++++ 1 file changed, 4 insertions(+) create mode 100644 osv-scanner.toml diff --git a/osv-scanner.toml b/osv-scanner.toml new file mode 100644 index 00000000..8c4f7f84 --- /dev/null +++ b/osv-scanner.toml @@ -0,0 +1,4 @@ +[[IgnoredVulns]] +id = "GHSA-5239-wwwm-4pmq" +ignoreUntil = 2026-06-23 +reason = "LOW severity (CVSS 3.3). pygments 2.19.2 is the latest release and is marked last_affected — no fix version published yet. ReDoS via GUID regex only exploitable with attacker-controlled syntax highlighting inputs." From 469291f1cf4ab2ba5153fdb1fb0e63b97d257447 Mon Sep 17 00:00:00 2001 From: Andriy Lysyuk Date: Wed, 25 Mar 2026 15:29:27 +0100 Subject: [PATCH 2/2] fix(security): correct pygments advisory reason text (AdlLexer, not GUID regex) --- osv-scanner.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/osv-scanner.toml b/osv-scanner.toml index 8c4f7f84..74c2fed9 100644 --- a/osv-scanner.toml +++ b/osv-scanner.toml @@ -1,4 +1,4 @@ [[IgnoredVulns]] id = "GHSA-5239-wwwm-4pmq" ignoreUntil = 2026-06-23 -reason = "LOW severity (CVSS 3.3). pygments 2.19.2 is the latest release and is marked last_affected — no fix version published yet. ReDoS via GUID regex only exploitable with attacker-controlled syntax highlighting inputs." +reason = "LOW severity (CVSS 3.3). pygments 2.19.2 is the latest release and is marked last_affected — no fix version published yet. ReDoS in AdlLexer (pygments/lexers/archetype.py) is only exploitable with attacker-controlled syntax highlighting inputs."