Bump pip-tools from 7.5.2 to 7.5.3 in /{{ cookiecutter.project_slug }}/.github/utils in the packages group across 1 directory

.github/workflows/ci_tests.yml

@@ -63,6 +63,12 @@ jobs:
       uses: pypa/gh-action-pip-audit@v1.1.0
       with:
         inputs: ${{ runner.temp }}/requirements.txt
+        # CVE-2025-69872: DiskCache 5.6.3
+        #   DiskCache (python-diskcache) through 5.6.3 uses Python pickle for serialization by default.
+        #   An attacker with write access to the cache directory can achieve arbitrary code execution
+        #   when a victim application reads from the cache.
+        ignore-vulns: |
+          CVE-2025-69872
 
     - name: Build docs
       run: mkdocs build --strict
@@ -96,6 +102,3 @@ jobs:
       uses: pypa/gh-action-pip-audit@v1.1.0
       with:
         inputs: ${{ github.workspace }}/requirements.txt ${{ github.workspace }}/.github/utils/requirements.txt
-        # Temporarily ignore pip vulnerability until we can upgrade to pip 25.3+
-        ignore-vulns: |
-          GHSA-4xh5-x5gv-qwph

{{ cookiecutter.project_slug }}/.github/utils/requirements_ci.txt

@@ -1 +1 @@
-pip-tools==7.5.2
+pip-tools==7.5.3

{{ cookiecutter.project_slug }}/.github/workflows/ci_tests.yml

@@ -70,9 +70,12 @@ jobs:
       uses: pypa/gh-action-pip-audit@v1.1.0
       with:
         inputs: ${{ runner.temp }}/requirements.txt
-        # Temporarily ignore pip vulnerability until we can upgrade to pip 25.3+
+        # CVE-2025-69872: DiskCache 5.6.3
+        #   DiskCache (python-diskcache) through 5.6.3 uses Python pickle for serialization by default.
+        #   An attacker with write access to the cache directory can achieve arbitrary code execution
+        #   when a victim application reads from the cache.
         ignore-vulns: |
-          GHSA-4xh5-x5gv-qwph
+          CVE-2025-69872
 
   pytest:
     name: pytest (${{ matrix.os[1] }}-py${{ matrix.python-version }})