Add `pip-audit` to CI for dependency vulnerability scanning

[aallan]

pip-audit checks installed packages against the OSV vulnerability database. The compiler processes untrusted input (arbitrary .vera source files), making dependency CVEs a real concern.

Add a CI job:

dependency-audit:
  runs-on: ubuntu-latest
  steps:
    - uses: actions/checkout@v4
    - uses: actions/setup-python@v5
      with: { python-version: "3.12" }
    - run: pip install -e . && pip install pip-audit
    - run: pip-audit --strict

This catches CVEs in lark, z3-solver, wasmtime, or their transitive dependencies. Low effort, high value.

[aallan]

Fixed in PR #415 (branch docs/history-tooling-split).

Added a dependency-audit CI job that runs pip-audit --skip-editable on every push and PR. The job installs only the runtime dependencies (pip install -e .) plus pip-audit itself, then audits all packages against the OSV vulnerability database.

A real CVE was found in the process: pygments 2.19.2 carries CVE-2026-4539 (transitive dependency via pytest/rich). No fix release exists yet, so it is suppressed with --ignore-vuln CVE-2026-4539 and a comment to revisit when pygments >2.19.2 ships.

--strict was not used because it fails whenever any editable install is present, regardless of --skip-editable — a known pip-audit limitation.

[aallan]

Reopening so PR #415 closes this automatically on merge to main. The fix is implemented on branch docs/history-tooling-split — see above comments for details.

[aallan]

Implemented in PR #415 (branch docs/history-tooling-split, shipping as v0.0.103).

What was done:

• Added a dependency-audit job to .github/workflows/ci.yml that runs pip-audit --skip-editable --ignore-vuln CVE-2026-4539 on every push and PR
• --skip-editable skips the local vera package (not on PyPI, so pip-audit can't audit it)
• During implementation, a real CVE was found: pygments 2.19.2 has CVE-2026-4539 (transitive via pytest/rich). No fix release exists yet — suppressed with --ignore-vuln and a comment to revisit when pygments ships a patch
• Documented in TESTING.md CI jobs table and SECURITY.md