Problem
CI Security Scan job (pip-audit) fails on all PRs with:
joblib 1.5.3 PYSEC-2024-277 (no fix listed)
nltk 3.9.4 PYSEC-2026-97 (no fix listed; 3.9.4 IS the patched version per upstream)
These are transitive dependencies of safety, not direct project deps. The nltk advisory appears to be a false positive — 3.9.4 is the upstream fix per CVE-2026-0847.
Currently blocks PR #52 (and likely all future PRs) since the repo ruleset requires Security Scan to pass.
Suggested fixes (pick one)
- Drop
safety: It overlaps with pip-audit; remove from pyproject.toml [project.optional-dependencies] dev.
- Ignore vulns with
pip-audit --ignore-vuln PYSEC-2024-277 --ignore-vuln PYSEC-2026-97 in .github/workflows/ci.yml Security Scan step.
- Run pip-audit against project deps only (
pip-audit -r requirements.txt if a real requirements file existed) instead of the full env including dev deps.
Detected during
Workspace cleanup sweep 2026-05-22. PR #52 (bot-authored gh-aw SHA refresh) cannot merge until resolved.
Problem
CI
Security Scanjob (pip-audit) fails on all PRs with:These are transitive dependencies of
safety, not direct project deps. Thenltkadvisory appears to be a false positive — 3.9.4 is the upstream fix per CVE-2026-0847.Currently blocks PR #52 (and likely all future PRs) since the repo ruleset requires
Security Scanto pass.Suggested fixes (pick one)
safety: It overlaps withpip-audit; remove frompyproject.toml[project.optional-dependencies] dev.pip-audit --ignore-vuln PYSEC-2024-277 --ignore-vuln PYSEC-2026-97in.github/workflows/ci.ymlSecurity Scan step.pip-audit -r requirements.txtif a real requirements file existed) instead of the full env including dev deps.Detected during
Workspace cleanup sweep 2026-05-22. PR #52 (bot-authored gh-aw SHA refresh) cannot merge until resolved.