build(security): ignore pygments CVE-2026-4539 in pip-audit#2333
build(security): ignore pygments CVE-2026-4539 in pip-audit#2333
Conversation
pip-audit fails until pygments ships a fix for this low-severity ReDoS issue. The Makefile documents the TODO to remove --ignore-vuln when a patch exists. Made-with: Cursor
Summary of ChangesHello, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed! This pull request provides a temporary workaround for a Highlights
🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console. Using Gemini Code AssistThe full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips. Invoking Gemini You can request assistance from Gemini at any point by creating a comment using either
Customization To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a Limitations & Feedback Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here. Footnotes
|
![gemini-code-assist[bot]](https://avatars.gh.umua.top/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request updates the Makefile to temporarily ignore a low-severity ReDoS vulnerability in pygments during pip-audit security checks. The reviewer identified that the CVE identifier used (CVE-2026-4539) is incorrect and should be CVE-2024-34064, which needs to be corrected for the --ignore-vuln flag to work as intended.
| # TODO: Remove --ignore-vuln CVE-2026-4539 flag when patch exists for pygments | ||
| # This is a low severity redos vulnerability: https://www.cve.org/CVERecord?id=CVE-2026-4539 | ||
| uv run pip-audit --skip-editable --ignore-vuln CVE-2026-4539 |
There was a problem hiding this comment.
It appears there's a typo in the CVE identifier. The correct identifier for the recent low-severity ReDoS vulnerability in pygments that affects all versions is likely CVE-2024-34064, not CVE-2026-4539. Using the incorrect identifier will not suppress the pip-audit warning as intended and can cause confusion.
Please update the CVE identifier in the comments and the pip-audit command.
# TODO: Remove --ignore-vuln CVE-2024-34064 flag when patch exists for pygments
# This is a low severity redos vulnerability: https://www.cve.org/CVERecord?id=CVE-2024-34064
uv run pip-audit --skip-editable --ignore-vuln CVE-2024-34064
2 participants
pip-audit fails until pygments ships a fix for this low-severity ReDoS issue. Since all pygments versions are affected and there's no patch we can't do much right now. (Added TODO note to remove --ignore-vuln once a patch is released)