Skip to content

chore: remove CVE-2026-4539 pip-audit ignore when pygments patches #821

Closed
#931
Closed
chore: remove CVE-2026-4539 pip-audit ignore when pygments patches#821
#931
Labels
type:choreMaintenance, cleanup, dependency updates
@Aureliolo

Description

@Aureliolo
Aureliolo
opened on Mar 24, 2026

Context

pygments 2.19.2 has CVE-2026-4539 (local ReDoS in AdlLexer via pygments/lexers/archetype.py). No fix version exists as of 2026-03-24 -- 2.19.2 is the latest release.

We added --ignore-vuln CVE-2026-4539 to both ci.yml and python-audit.yml to unblock CI.

Action

When pygments publishes a fix:

  1. Bump pygments version in pyproject.toml
  2. Remove --ignore-vuln CVE-2026-4539 from .github/workflows/ci.yml (line ~161)
  3. Remove --ignore-vuln CVE-2026-4539 from .github/workflows/python-audit.yml (line ~23)
  4. Close this issue

Review date

2026-04-14 (3 weeks from creation)

Metadata

Metadata

Assignees

No one assigned

    Labels

    type:choreMaintenance, cleanup, dependency updates

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions