fix(ci): ignore disputed joblib + nltk advisories in pip-audit

[JacobPEvans]

Summary

Two transitive Python deps trigger pip-audit failures with no upstream fix yet:

• PYSEC-2024-277 (joblib 1.5.3) — NumpyArrayWrapper deserialization. The vendor disputes this because NumpyArrayWrapper is only used while caching trusted content.
• PYSEC-2026-97 (nltk 3.9.4) — filestring() arbitrary file read. Requires user-controlled path input; not exposed by template code.

These block #52 (gh-aw SHA refresh) and any future Renovate lock PR. Since this is a template, forks should review quarterly and tighten as their actual usage exposes (or doesn't expose) these surfaces.

Changes

• Add --ignore-vuln PYSEC-2024-277 --ignore-vuln PYSEC-2026-97 to the existing pip-audit invocation
• Document each ID with rationale

Test plan

• Security Scan job goes green on this PR
• After merge, retrigger fix(deps): refresh gh-aw action SHA pins #52 — should clear the security gate

Cleanup

Drop each --ignore-vuln flag once upstream ships a fix. Review quarterly.

Related: #52

[gemini-code-assist]

Note

Gemini is unable to generate a review for this pull request due to the file types involved not being currently supported.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

[JacobPEvans]

Closing — superseded by #58. PR #57 suppresses transitive advisories from the redundant safety dep; PR #58 drops safety entirely (it duplicates pip-audit), removing the joblib + nltk transitive deps that triggered PYSEC-2024-277 / PYSEC-2026-97 in the first place. Root-cause fix over symptom suppression.