From 6ceef27ed40d2e81fdc540591ffda4db0df1d3fe Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 16 Feb 2026 05:37:47 +0000 Subject: [PATCH 1/3] Bump pip-tools Bumps the packages group with 1 update in the /{{ cookiecutter.project_slug }}/.github/utils directory: [pip-tools](https://github.com/jazzband/pip-tools). Updates `pip-tools` from 7.5.2 to 7.5.3 - [Release notes](https://github.com/jazzband/pip-tools/releases) - [Changelog](https://github.com/jazzband/pip-tools/blob/main/CHANGELOG.md) - [Commits](https://github.com/jazzband/pip-tools/compare/v7.5.2...v7.5.3) --- updated-dependencies: - dependency-name: pip-tools dependency-version: 7.5.3 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: packages ... Signed-off-by: dependabot[bot] --- .../.github/utils/requirements_ci.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/{{ cookiecutter.project_slug }}/.github/utils/requirements_ci.txt b/{{ cookiecutter.project_slug }}/.github/utils/requirements_ci.txt index d41510d..1761760 100644 --- a/{{ cookiecutter.project_slug }}/.github/utils/requirements_ci.txt +++ b/{{ cookiecutter.project_slug }}/.github/utils/requirements_ci.txt @@ -1 +1 @@ -pip-tools==7.5.2 +pip-tools==7.5.3 From 081d3724ca506b3511f4833779cb2ea1f09fa4b7 Mon Sep 17 00:00:00 2001 From: Casper Welzel Andersen Date: Mon, 16 Feb 2026 12:45:04 +0100 Subject: [PATCH 2/3] Ignore diskcache safety issue --- .github/workflows/ci_tests.yml | 3 --- .../.github/workflows/ci_tests.yml | 7 +++++-- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/ci_tests.yml b/.github/workflows/ci_tests.yml index 08a83e2..f059268 100644 --- a/.github/workflows/ci_tests.yml +++ b/.github/workflows/ci_tests.yml @@ -96,6 +96,3 @@ jobs: uses: pypa/gh-action-pip-audit@v1.1.0 with: inputs: ${{ github.workspace }}/requirements.txt ${{ github.workspace }}/.github/utils/requirements.txt - # Temporarily ignore pip vulnerability until we can upgrade to pip 25.3+ - ignore-vulns: | - GHSA-4xh5-x5gv-qwph diff --git a/{{ cookiecutter.project_slug }}/.github/workflows/ci_tests.yml b/{{ cookiecutter.project_slug }}/.github/workflows/ci_tests.yml index 9fb5d02..a5472ef 100644 --- a/{{ cookiecutter.project_slug }}/.github/workflows/ci_tests.yml +++ b/{{ cookiecutter.project_slug }}/.github/workflows/ci_tests.yml @@ -70,9 +70,12 @@ jobs: uses: pypa/gh-action-pip-audit@v1.1.0 with: inputs: ${{ runner.temp }}/requirements.txt - # Temporarily ignore pip vulnerability until we can upgrade to pip 25.3+ + # CVE-2025-69872: DiskCache 5.6.3 + # DiskCache (python-diskcache) through 5.6.3 uses Python pickle for serialization by default. + # An attacker with write access to the cache directory can achieve arbitrary code execution + # when a victim application reads from the cache. ignore-vulns: | - GHSA-4xh5-x5gv-qwph + CVE-2025-69872 pytest: name: pytest (${{ matrix.os[1] }}-py${{ matrix.python-version }}) From 7afb144ac2f2b868bb3ba6ca3199259684d60f65 Mon Sep 17 00:00:00 2001 From: Casper Welzel Andersen Date: Mon, 16 Feb 2026 12:49:17 +0100 Subject: [PATCH 3/3] Ignore diskcache safety issue --- .github/workflows/ci_tests.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/.github/workflows/ci_tests.yml b/.github/workflows/ci_tests.yml index f059268..d4bc7ac 100644 --- a/.github/workflows/ci_tests.yml +++ b/.github/workflows/ci_tests.yml @@ -63,6 +63,12 @@ jobs: uses: pypa/gh-action-pip-audit@v1.1.0 with: inputs: ${{ runner.temp }}/requirements.txt + # CVE-2025-69872: DiskCache 5.6.3 + # DiskCache (python-diskcache) through 5.6.3 uses Python pickle for serialization by default. + # An attacker with write access to the cache directory can achieve arbitrary code execution + # when a victim application reads from the cache. + ignore-vulns: | + CVE-2025-69872 - name: Build docs run: mkdocs build --strict