Inicio Explorar Ayuda
Iniciar sesión
yunoadmin
/
bambuddy
espejo de https://github.com/maziggy/bambuddy
1
0
Fork 0
Archivos Incidencias 0 Wiki
Explorar el Código

chore(ci): also ignore disputed PyJWT CVE-2025-45768 in ci.yml

  security.yml had this ignore added in 9d440beb but ci.yml runs its
  own pip-audit step with a separate ignore list. CI was still failing
  on main + dev. Reasoning identical to the security.yml comment —
  disputed by PyJWT maintainers, no fix exists, Bambuddy uses
  secrets.token_urlsafe(64) and rejects short secrets.
maziggy hace 1 semana
padre
4910a0fb86
commit
2b8887c4d5
Se han modificado 1 ficheros con 9 adiciones y 1 borrados
Dividir vista Mostrar estadísticas de diff
  1. 9 1
      .github/workflows/ci.yml

+ 9 - 1
.github/workflows/ci.yml
Ver fichero 

@@ -73,7 +73,15 @@ jobs:
 
         run: |
 
           # CVE-2026-4539: low-severity ReDoS in Pygments AdlLexer (indirect dep via mkdocs-material/pytest/rich).
 
           # No fix available yet. Remove --ignore-vuln once Pygments releases a patched version.
 
-          pip-audit --desc on --ignore-vuln CVE-2026-4539
 
+          #
 
+          # CVE-2025-45768 (PYSEC-2025-183 / GHSA-65pc-fj4g-8rjx): disputed by PyJWT maintainers.
 
+          # Advisory says "key length is chosen by the application that uses the library" — no
 
+          # PyJWT fix exists or will exist. Bambuddy is safe: backend/app/core/auth.py:184 uses
 
+          # secrets.token_urlsafe(64) (~86 chars of entropy) for auto-generated secrets and
 
+          # rejects file-loaded secrets shorter than 32 chars at :177. Keep ignored permanently.
 
+          pip-audit --desc on \
 
+            --ignore-vuln CVE-2026-4539 \
 
+            --ignore-vuln CVE-2025-45768
 
 
   backend-tests:
 
     name: Backend Tests