fix: ignore pip CVE-2026-3219 (#11) (#51)

constk · web-flow · commit fa459c224640 · 2026-04-27T03:04:38.000+10:00
diff --git a/.github/security/pip-audit-ignore.txt b/.github/security/pip-audit-ignore.txt
@@ -5,6 +5,8 @@
 # Format:
 #   # CVE-XXXX-NNNN — short reason; tracking issue / fix ETA.
 #   CVE-XXXX-NNNN
-#
-# Currently empty for the harness scaffold — add entries as upstream
-# advisories require.
+
+# CVE-2026-3219 — pip 26.0.1; advisory disclosed April 2026, blocks every
+# build until pip 26.0.2+ ships in the GHA tool cache. Remove once
+# `actions/setup-python` upgrades the bundled pip.
+CVE-2026-3219
