fix(ci): ignore unfixable upstream pyjwt advisories in pip-audit gate

engahmed1190 · claude · engahmed1190 · commit 4ef79819ac7f · 2026-06-07T01:04:18.000+03:00
The "Vulnerable Dependency Check" job failed on pyjwt 2.12.1 (PYSEC-2026-175/
177/178/179, fixed in 2.13.0). These cannot be fixed from pos_next:

  - The CI step installs the app with `pip install --no-deps .`, so a pin in
    pyproject.toml is never resolved.
  - frappe version-15 hard-pins `PyJWT~=2.12.1` (&lt;2.13), so the fixed 2.13.0
    is excluded regardless. This is an upstream-frappe constraint.

Revert the no-op pyproject pin and instead `--ignore-vuln` the four specific
advisory IDs in the pip-audit step (NOT the package), so the gate still fails
on any NEW vulnerability. Revisit when frappe relaxes its PyJWT pin.

Co-Authored-By: Claude Opus 4.8 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/.github/workflows/linter.yml b/.github/workflows/linter.yml
@@ -64,4 +64,14 @@ jobs:
           pip install "erpnext @ git+https://github.com/frappe/erpnext.git@version-15"
           cd ${GITHUB_WORKSPACE}
           pip install --no-deps .
-          pip-audit --desc on
+          # The pyjwt advisories below live in PyJWT 2.12.1, which frappe
+          # version-15 hard-pins (PyJWT~=2.12.1, i.e. <2.13). They are fixed in
+          # 2.13.0 but pos_next cannot upgrade a dependency frappe constrains —
+          # this is an upstream-frappe issue, not a pos_next one. Ignore the
+          # specific IDs (NOT the package) so the gate still fails on any NEW
+          # vulnerability; revisit when frappe relaxes its PyJWT pin.
+          pip-audit --desc on \
+            --ignore-vuln PYSEC-2026-175 \
+            --ignore-vuln PYSEC-2026-177 \
+            --ignore-vuln PYSEC-2026-178 \
+            --ignore-vuln PYSEC-2026-179
diff --git a/pyproject.toml b/pyproject.toml
@@ -9,11 +9,7 @@ readme = "README.md"
 dynamic = ["version"]
 dependencies = [
     # "frappe~=15.0.0" # Installed and managed by bench.
-    "erpnext",
-    # pyjwt arrives transitively via frappe. Pin >=2.13.0 to clear PYSEC-2026-175/
-    # 177/178/179 (HMAC key confusion, jku SSRF, unbounded JWKS fetch, detached-JWS
-    # DoS) flagged by the CI pip-audit gate. Not used directly by pos_next.
-    "pyjwt>=2.13.0",
+    "erpnext"
 ]
 
 [build-system]
