chore(security): bump idna >=3.15 (CVE-2026-45409) + ignore disputed PyJWT advisory

  - requirements.txt: pin idna>=3.15 to clear ReDoS in idna.encode() on
    crafted Unicode payloads. Transitive via anyio/httpx/requests/yarl,
    so the explicit floor stops a future downstream loosening from
    silently downgrading us.
  - security.yml: permanently --ignore-vuln CVE-2025-45768 (PyJWT). The
    advisory is disputed by the maintainers — "key length is chosen by
    the application" — and no fix version exists. Bambuddy is safe:
    auto-generates secrets via secrets.token_urlsafe(64) and rejects
    file-loaded secrets shorter than 32 chars (auth.py:177, :184).
  - security.yml: drop the stale Pygments --ignore-vuln CVE-2026-4539.
    Pygments has been patched upstream; the ignore no longer matches
    anything.

.github/workflows/security.yml

@@ -132,10 +132,17 @@ jobs:
       - name: Run pip-audit
         id: pip-audit
         run: |
-          # CVE-2026-4539: low-severity ReDoS in Pygments AdlLexer (indirect dep via mkdocs-material/pytest/rich).
-          # No fix available yet. Remove --ignore-vuln once Pygments releases a patched version.
-          pip-audit --desc on --format json --output pip-audit-results.json --ignore-vuln CVE-2026-4539 || echo "vulnerabilities_found=true" >> $GITHUB_OUTPUT
-          pip-audit --desc on --ignore-vuln CVE-2026-4539 || true
+          # CVE-2025-45768 (PYSEC-2025-183 / GHSA-65pc-fj4g-8rjx): disputed by PyJWT maintainers.
+          # Advisory says "key length is chosen by the application that uses the library" — no
+          # PyJWT fix exists or will exist. Bambuddy is safe: backend/app/core/auth.py:184 uses
+          # secrets.token_urlsafe(64) (~86 chars of entropy) for auto-generated secrets and
+          # rejects file-loaded secrets shorter than 32 chars at :177. Keep ignored permanently.
+          pip-audit --desc on --format json --output pip-audit-results.json \
+            --ignore-vuln CVE-2025-45768 \
+            || echo "vulnerabilities_found=true" >> $GITHUB_OUTPUT
+          pip-audit --desc on \
+            --ignore-vuln CVE-2025-45768 \
+            || true
 
       - name: Upload audit results
         if: always()

CHANGELOG.md

@@ -2,6 +2,12 @@
 
 All notable changes to Bambuddy will be documented in this file.
 
+## [0.2.4.3] - Unreleased
+
+### Security
+- **idna: bump to `>=3.15` to clear CVE-2026-45409 (ReDoS in `idna.encode()` with crafted Unicode payloads, e.g. `"٠" * N` or `"・" * N + "漢"`)** — Transitive dep pulled in by anyio / httpx / requests / yarl; not directly pinned, which is why it lingered at 3.13. Added an explicit `idna>=3.15` floor in `requirements.txt` between Authentication and HTTP-client blocks with a comment explaining why it's pinned (so a future downstream loosening doesn't silently downgrade us). Verified via `pip-audit` clean post-upgrade.
+- **PyJWT CVE-2025-45768 (PYSEC-2025-183 / GHSA-65pc-fj4g-8rjx): permanently ignored in pip-audit** — Advisory is disputed by the PyJWT maintainers, with the advisory description literally noting *"this is disputed by the Supplier because the key length is chosen by the application that uses the library."* `fix_versions=[]` on the advisory confirms no PyJWT patch exists or will exist. Bambuddy is not affected: `backend/app/core/auth.py:184` auto-generates secrets via `secrets.token_urlsafe(64)` (~86 chars of entropy, far above any sane minimum) and the file-loaded path at `:177` rejects secrets shorter than 32 chars. Added a permanent `--ignore-vuln CVE-2025-45768` to `.github/workflows/security.yml` with an inline comment citing the file:line evidence so a future maintainer reviewing the ignore list sees why it's load-bearing. Also dropped the stale `--ignore-vuln CVE-2026-4539` for Pygments — Pygments has since shipped a patched version and the ignore is no longer load-bearing (verified: `pip-audit --ignore-vuln CVE-2025-45768` alone reports clean).
+
 ## [0.2.4.2] - 2026-05-19
 
 ### Added

requirements.txt

@@ -60,6 +60,11 @@ passlib[bcrypt]>=1.7.4
 ldap3>=2.9.0
 pyotp>=2.9.0
 
+# Transitive dep pin: idna<3.15 has CVE-2026-45409 (ReDoS on encode() with
+# crafted Unicode). Pulled in by anyio/httpx/requests/yarl; pin the floor
+# so we don't regress when a downstream loosens its constraint.
+idna>=3.15
+
 # HTTP client (used for OIDC token exchange)
 httpx>=0.26.0