Summary
The dependency-audit CI job flags CVE-2026-3219 in pip 26.0.1 (published 2026-04-20). Until pip 26.1 ships with the fix, we ignore this CVE in the pip-audit invocation. This issue tracks the ignore so it gets removed once the upstream fix lands on PyPI.
CVE details
- CVE: CVE-2026-3219
- GitHub Advisory: GHSA-58qw-9mgm-455v
- Affected:
pip ≤ 26.0.1
- Nature: pip handles concatenated tar+ZIP files as ZIP regardless of filename or archive format. An archive that is both a valid tar and a valid ZIP could cause pip to install files inconsistent with what the filename implies.
- Threat model: requires installing from an untrusted, ambiguously-formatted archive. Does not apply to our CI, which installs from PyPI over TLS.
Upstream fix
New behaviour: pip only proceeds with installation if the archive identifies uniquely as a ZIP or a tar, not as both.
Why ignore rather than upgrade
As of filing, no pip release contains the fix. pip 26.0.2 does not exist; pip 26.1 is the next release that will contain the fix per the upstream milestone. There is nothing to upgrade to.
Switching dependency-audit from pip to uv would not help — pip-audit transitively depends on pip-api, which pulls pip into the environment regardless of installer. pip-audit then scans its own environment and reports the CVE on pip itself.
Action items
Related precedent
We already ignore CVE-2026-4539 in pygments 2.19.2 by the same pattern (see .github/workflows/ci.yml). That ignore is still in force because pygments hasn't shipped a fix. This new ignore follows the same convention but has a clearer path to removal: pip 26.1 exists, it just hasn't been released.
Summary
The
dependency-auditCI job flags CVE-2026-3219 in pip 26.0.1 (published 2026-04-20). Until pip 26.1 ships with the fix, we ignore this CVE in thepip-auditinvocation. This issue tracks the ignore so it gets removed once the upstream fix lands on PyPI.CVE details
pip≤ 26.0.1Upstream fix
New behaviour: pip only proceeds with installation if the archive identifies uniquely as a ZIP or a tar, not as both.
Why ignore rather than upgrade
As of filing, no pip release contains the fix. pip 26.0.2 does not exist; pip 26.1 is the next release that will contain the fix per the upstream milestone. There is nothing to upgrade to.
Switching
dependency-auditfrom pip to uv would not help —pip-audittransitively depends onpip-api, which pullspipinto the environment regardless of installer. pip-audit then scans its own environment and reports the CVE on pip itself.Action items
--ignore-vuln CVE-2026-3219to.github/workflows/ci.ymldependency-audit step with a dated comment linking this issue, the CVE, and the upstream fix PR.Related precedent
We already ignore
CVE-2026-4539in pygments 2.19.2 by the same pattern (see.github/workflows/ci.yml). That ignore is still in force because pygments hasn't shipped a fix. This new ignore follows the same convention but has a clearer path to removal: pip 26.1 exists, it just hasn't been released.