ci(audit): document CVE-2025-71176 rationale and drop stale pygments ignore

jgstern-agent · jgstern-agent · commit 6c408d99aa78 · 2026-04-13T22:02:08.000-04:00
The pip-audit step had two --ignore-vuln entries: 1. CVE-2026-4539 (pygments AdlLexer ReDoS) — **dropped**. This entry was added when pygments 2.19.2 was the latest version (the comment literally said "no upstream fix available yet — latest version"). Our hypergumbo-core and hypergumbo-tracker pyproject.toml files now pin `pygments~=2.20.0`, which is past the vulnerable range. Verified: `pip-audit` against a fresh env with pygments 2.20.0 installed reports no vulnerabilities. The ignore was stale. 2. CVE-2025-71176 (pytest /tmp/pytest-of-{user} TOCTOU) — **kept**, with expanded rationale in the comment block. Fix is pytest 9.0.3, but syrupy 4.8.0 (hard-pinned by pytest-textual-snapshot==1.1.0) caps pytest<9.0.0, so we cannot reach 9.0.3 without forking the upstream. Upstream PR Textualize/pytest-textual-snapshot#24 relaxes the syrupy pin to >=5.0.0, which would let us bump pytest and drop this ignore. Impact assessment for hypergumbo: * Local-only attack boundary (requires shell on the same UNIX box). * pytest is dev-only — never shipped to end users running hypergumbo. * Self-hosted CI runners are single-tenant, so no co-tenant risk. * Practical exploitability is effectively zero. Tracked in WI-zokan for automatic revert once upstream PR #24 lands. Signed-off-by: jgstern-agent <josh-agent@iterabloom.com>
diff --git a/.ci/affected-tests.txt b/.ci/affected-tests.txt
@@ -1,8 +1,8 @@
 # Test selection manifest
-# Generated by smart-test at 2026-04-13T20:10:59-04:00
+# Generated by smart-test at 2026-04-13T22:02:02-04:00
 # Mode: targeted
 # Baseline: f046326bb05bedcc5f34a321ea921374404dffb5
-# Changed files: 33
+# Changed files: 32
 # Changed source files: 9
 # Selected tests: 26
 #
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -268,9 +268,18 @@ jobs:
           pip install "requests~=2.33.0"
       - name: Run pip-audit (dependency vulnerabilities)
         run: |
-          # CVE-2026-4539: pygments 2.19.2 — no upstream fix available yet (latest version)
-          # CVE-2025-71176: pytest 9.0.2 — fix in 9.0.3; transitive dep, unrelated to runtime
-          pip-audit --skip-editable --ignore-vuln CVE-2026-4539 --ignore-vuln CVE-2025-71176
+          # CVE-2025-71176: pytest /tmp/pytest-of-{user} TOCTOU on UNIX.
+          # Fix is pytest 9.0.3, but we are pinned below 9.0.0 transitively by
+          # syrupy 4.8.0 (hard-pinned by pytest-textual-snapshot 1.1.0).
+          # Impact assessment: local attack boundary only, reachable solely in
+          # CI/dev environments — pytest is a dev-only dep, never installed on
+          # end-user systems running hypergumbo. Our self-hosted runners are
+          # single-tenant, so practical exploitability is ~0.
+          # Exit plan: upstream PR to relax the syrupy pin is tracked at
+          # https://github.com/Textualize/pytest-textual-snapshot/pull/24
+          # When that merges and a new pytest-textual-snapshot release ships,
+          # bump pytest to 9.0.3+ and drop this ignore.
+          pip-audit --skip-editable --ignore-vuln CVE-2025-71176
 
   verify-generated:
     needs: [changes, stop-the-line]
