From 5c9f96655aeb1608cdc25066954fc75ea4e250b3 Mon Sep 17 00:00:00 2001 From: gss Date: Wed, 29 Apr 2026 00:37:45 +0800 Subject: [PATCH] fix(ci): upgrade pip before security audit to avoid pip-self CVEs pip 25.3 pre-installed on CI runners has CVE-2026-1703 and CVE-2026-3219. Upgrading pip before running pip-audit avoids false positives. Closes #15 Co-Authored-By: Claude Opus 4.6 (1M context) --- .github/workflows/ci.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 32e77b4..9aa50ca 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -59,6 +59,7 @@ jobs: - uses: actions/setup-python@v5 with: python-version: "3.12" + - run: python -m pip install --upgrade pip - run: pip install pip-audit bandit - name: Install project run: pip install -e ".[dev]"