chore(security): bump black and requests; handle Pygments CVE in pip-audit

stuchain · stuchain · commit f150d686cf14 · 2026-03-25T21:25:11.000+02:00
diff --git a/.github/workflows/security-scan.yml b/.github/workflows/security-scan.yml
@@ -13,10 +13,10 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
 
       - name: Set up Python
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@v6
         with:
           python-version: '3.11'
           cache: 'pip'
@@ -28,14 +28,15 @@ jobs:
 
       - name: Audit production dependencies (Step 15)
         run: |
-          pip-audit -r requirements.txt
+          # CVE-2026-4539 (Pygments): no fixed release on PyPI yet (latest 2.19.2); transitive e.g. via pytest.
+          pip-audit -r requirements.txt --ignore-vuln CVE-2026-4539
 
       - name: Audit pinned build dependencies
         run: |
-          pip-audit -r requirements-build.txt
+          pip-audit -r requirements-build.txt --ignore-vuln CVE-2026-4539
 
       - name: Audit development dependencies
         run: |
-          pip-audit -r requirements-dev.txt
+          pip-audit -r requirements-dev.txt --ignore-vuln CVE-2026-4539
 
 
diff --git a/requirements-build.txt b/requirements-build.txt
@@ -13,7 +13,7 @@
 PySide6==6.10.1
 
 # HTTP requests and web scraping
-requests==2.32.5
+requests==2.33.0
 aiohttp==3.13.3
 beautifulsoup4==4.14.3
 
diff --git a/requirements-dev.txt b/requirements-dev.txt
@@ -23,7 +23,7 @@ types-tqdm
 
 # Code quality
 ruff>=0.8.0
-black==25.12.0
+black==26.3.1
 pylint==4.0.4
 mypy==1.19.1
 isort==7.0.0
diff --git a/requirements.txt b/requirements.txt
@@ -5,7 +5,7 @@
 PySide6==6.10.1
 
 # HTTP requests and web scraping
-requests==2.32.5
+requests==2.33.0
 aiohttp==3.13.3
 beautifulsoup4==4.14.3
 
