From b34df57c9200484ffe8c66133701622ba6b43d41 Mon Sep 17 00:00:00 2001
From: JacobPEvans <20714140+JacobPEvans@users.noreply.github.com>
Date: Fri, 22 May 2026 13:44:19 -0400
Subject: [PATCH] fix(ci): ignore disputed joblib + nltk advisories in
 pip-audit

Both advisories have no upstream fix and represent low risk in template usage:
- PYSEC-2024-277 (joblib): NumpyArrayWrapper deserialization. Disputed by
  supplier (only used during caching of trusted content).
- PYSEC-2026-97 (nltk): filestring() arbitrary file read. Requires user-
  controlled path input; not exposed by template code.

Blocks the gh-aw SHA refresh PR (#52). Forks should review quarterly and
remove once upstream patches land.
---
 .github/workflows/ci.yml | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 37491ad..4578a4d 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -83,8 +83,14 @@ jobs:
         bandit -r src/ -c pyproject.toml
 
     - name: Run pip-audit for dependency vulnerabilities
+      # Disputed/contextual transitive vulnerabilities with no upstream fix.
+      # Review quarterly and remove once upstream patches land.
+      #   PYSEC-2024-277 — joblib 1.5.3 NumpyArrayWrapper deserialization.
+      #     Disputed by supplier (only used during caching of trusted content).
+      #   PYSEC-2026-97 — nltk 3.9.4 filestring() arbitrary file read.
+      #     Requires user-controlled path input; not exposed by template code.
       run: |
-        pip-audit
+        pip-audit --ignore-vuln PYSEC-2024-277 --ignore-vuln PYSEC-2026-97
 
   docs:
     name: Documentation Check