1 week ago · fdd20e49b3
--- a/.github/workflows/security.yml
+++ b/.github/workflows/security.yml
@@ -132,10 +132,17 @@ jobs:
 
				       - name: Run pip-audit
			
 
				         id: pip-audit
			
 
				         run: |
			
 
				-          # CVE-2026-4539: low-severity ReDoS in Pygments AdlLexer (indirect dep via mkdocs-material/pytest/rich).
			
 
				-          # No fix available yet. Remove --ignore-vuln once Pygments releases a patched version.
			
 
				-          pip-audit --desc on --format json --output pip-audit-results.json --ignore-vuln CVE-2026-4539 || echo "vulnerabilities_found=true" >> $GITHUB_OUTPUT
			
 
				-          pip-audit --desc on --ignore-vuln CVE-2026-4539 || true
			
 
				+          # CVE-2025-45768 (PYSEC-2025-183 / GHSA-65pc-fj4g-8rjx): disputed by PyJWT maintainers.
			
 
				+          # Advisory says "key length is chosen by the application that uses the library" — no
			
 
				+          # PyJWT fix exists or will exist. Bambuddy is safe: backend/app/core/auth.py:184 uses
			
 
				+          # secrets.token_urlsafe(64) (~86 chars of entropy) for auto-generated secrets and
			
 
				+          # rejects file-loaded secrets shorter than 32 chars at :177. Keep ignored permanently.
			
 
				+          pip-audit --desc on --format json --output pip-audit-results.json \
			
 
				+            --ignore-vuln CVE-2025-45768 \
			
 
				+            || echo "vulnerabilities_found=true" >> $GITHUB_OUTPUT
			
 
				+          pip-audit --desc on \
			
 
				+            --ignore-vuln CVE-2025-45768 \
			
 
				+            || true
			
 
				 
			
 
				       - name: Upload audit results
			
 
				         if: always()
			
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,6 +2,12 @@
 
				 
			
 
				 All notable changes to Bambuddy will be documented in this file.
			
 
				 
			
 
				+## [0.2.4.3] - Unreleased
			
 
				+
			
 
				+### Security
			
 
				+- **idna: bump to `>=3.15` to clear CVE-2026-45409 (ReDoS in `idna.encode()` with crafted Unicode payloads, e.g. `"٠" * N` or `"・" * N + "漢"`)** — Transitive dep pulled in by anyio / httpx / requests / yarl; not directly pinned, which is why it lingered at 3.13. Added an explicit `idna>=3.15` floor in `requirements.txt` between Authentication and HTTP-client blocks with a comment explaining why it's pinned (so a future downstream loosening doesn't silently downgrade us). Verified via `pip-audit` clean post-upgrade.
			
 
				+- **PyJWT CVE-2025-45768 (PYSEC-2025-183 / GHSA-65pc-fj4g-8rjx): permanently ignored in pip-audit** — Advisory is disputed by the PyJWT maintainers, with the advisory description literally noting *"this is disputed by the Supplier because the key length is chosen by the application that uses the library."* `fix_versions=[]` on the advisory confirms no PyJWT patch exists or will exist. Bambuddy is not affected: `backend/app/core/auth.py:184` auto-generates secrets via `secrets.token_urlsafe(64)` (~86 chars of entropy, far above any sane minimum) and the file-loaded path at `:177` rejects secrets shorter than 32 chars. Added a permanent `--ignore-vuln CVE-2025-45768` to `.github/workflows/security.yml` with an inline comment citing the file:line evidence so a future maintainer reviewing the ignore list sees why it's load-bearing. Also dropped the stale `--ignore-vuln CVE-2026-4539` for Pygments — Pygments has since shipped a patched version and the ignore is no longer load-bearing (verified: `pip-audit --ignore-vuln CVE-2025-45768` alone reports clean).
			
 
				+
			
 
				 ## [0.2.4.2] - 2026-05-19
			
 
				 
			
 
				 ### Added
			
--- a/requirements.txt
+++ b/requirements.txt
@@ -60,6 +60,11 @@ passlib[bcrypt]>=1.7.4
 
				 ldap3>=2.9.0
			
 
				 pyotp>=2.9.0
			
 
				 
			
 
				+# Transitive dep pin: idna<3.15 has CVE-2026-45409 (ReDoS on encode() with
			
 
				+# crafted Unicode). Pulled in by anyio/httpx/requests/yarl; pin the floor
			
 
				+# so we don't regress when a downstream loosens its constraint.
			
 
				+idna>=3.15
			
 
				+
			
 
				 # HTTP client (used for OIDC token exchange)
			
 
				 httpx>=0.26.0