fix(deps): bump pygments lower bound to >=2.20.0 for CVE-2026-4539 [PYSDK-106]#594
Merged
helmut-hoffer-von-ankershoffen merged 2 commits intomainfrom Apr 25, 2026
Conversation
…eview [PYSDK-105] Adds a machine-readable verdict from the automated Claude PR review so branch-protection rules can gate `auto-merge` on the review outcome without human intervention. Changes: * `.github/labels.yml`: two new mutually-exclusive labels - `claude:review:passed` (green) — no blocking findings on current head - `claude:review:failed` (red) — blocking findings on current head * `.github/workflows/claude-code-automation-pr-review.yml`: extend prompt with a mandatory "Machine-Readable Verdict" final step. Claude must emit PASS or FAIL based on the existing CRITICAL CHECKS criteria (test markers, coverage ≥85%, lint clean, conventional commits, architecture/security) and apply the corresponding label via `gh pr edit --add-label ... --remove-label ...`. The opposite label is always removed, so the labels stay mutually exclusive across re-reviews on subsequent pushes. Re-emission: every push to a PR re-runs the review (existing `synchronize` trigger), so the verdict is always tied to the current head commit — stale verdicts cannot persist. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…YSDK-106] Re-adds the `pygments>=2.20.0` lower bound to `[project].dependencies` transitive overrides in pyproject.toml. The bound was deliberately removed in PYSDK-104 (PR #592) to give the daily audit-vulnerabilities routine a real gap to remediate; this PR closes that gap. The locked version in uv.lock (pygments 2.20.0) already protects our dev/CI env from CVE-2026-4539 (Pygments AdlLexer ReDoS, CVSS 4.8 Medium). This PR closes the remaining downstream-consumer gap so a fresh `pip install aignostics` / `uv add aignostics` / `uvx aignostics` cannot resolve `pygments<2.20.0` transitively via rich. The new lower bound (>=2.20.0) is <= the currently-locked version (2.20.0), so no dependency is upgraded — uv.lock diff is metadata-only (adds the new specifier and the dependency edge); no [[package]] version block changed. Resolves PYSDK-106. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
helmut-hoffer-von-ankershoffen
added
dependencies
helmut-hoffer-von-ankershoffen
added
dependencies
Copilot started reviewing on behalf of
helmut-hoffer-von-ankershoffen
April 25, 2026 09:28
View session
|
There was a problem hiding this comment.
Pull request overview
Reintroduces a published dependency lower bound to protect downstream SDK consumers from a pygments ReDoS CVE, and updates Claude PR review automation instructions/labels to support machine-readable PASS/FAIL gating.
Changes:
- Re-adds
pygments>=2.20.0topyproject.tomltransitive override dependencies (CVE-2026-4539). - Regenerates
uv.locksopygmentsappears as a direct requirement with>=2.20.0. - Extends the Claude PR review workflow prompt and introduces new
claude:review:{passed,failed}labels.
Reviewed changes
Copilot reviewed 3 out of 4 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
pyproject.toml |
Restores pygments>=2.20.0 lower bound for downstream consumer safety. |
uv.lock |
Reflects the new direct requirement entry for pygments / >=2.20.0. |
.github/workflows/claude-code-automation-pr-review.yml |
Adds “machine-readable verdict” instructions to the Claude automation prompt. |
.github/labels.yml |
Defines claude:review:passed and claude:review:failed labels referenced by the new prompt. |
Comment on lines
214
to
+220
|
|
||
| Use `gh pr comment` with your Bash tool to leave your comprehensive review as a comment on the PR. | ||
|
|
||
| ## Machine-Readable Verdict (MANDATORY) | ||
|
|
||
| After posting your review comment, you MUST emit a single-label verdict on the PR. This label is consumed by branch-protection rules to gate auto-merge — it is the only deterministic signal of your review outcome. | ||
|
|
Comment on lines
+230
to
+242
| **Apply the label** (the two labels are mutually exclusive — always remove the opposite one): | ||
|
|
||
| ```bash | ||
| # PASS: | ||
| gh pr edit ${{ github.event.pull_request.number }} \ | ||
| --add-label "claude:review:passed" \ | ||
| --remove-label "claude:review:failed" | ||
|
|
||
| # FAIL: | ||
| gh pr edit ${{ github.event.pull_request.number }} \ | ||
| --add-label "claude:review:failed" \ | ||
| --remove-label "claude:review:passed" | ||
| ``` |
Codecov Report✅ All modified and coverable lines are covered by tests. ❌ Your project status has failed because the head coverage (63.80%) is below the target coverage (70.00%). You can increase the head coverage or adjust the target coverage. |
3 tasks
helmut-hoffer-von-ankershoffen
deleted the
fix/PYSDK-106-audit-pygments-cve-2026-4539
branch
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
🛡️ Resolves PYSDK-106 following PR-SOP-01 Problem Resolution and Non-Conforming Products, part of our ISO 13485-certified QMS | Ketryx Project.
Summary
Re-adds the
pygments>=2.20.0lower bound to[project].dependenciestransitive overrides inpyproject.toml. The bound was deliberately removed in PYSDK-104 (#592) to give the dailyaudit-vulnerabilitiesroutine a real downstream gap to detect and remediate; this PR closes that gap.CVE addressed
pygmentsReDoS in regex-based lexers, fixed in2.20.0. Severity: Medium (CVSS 5.3).rich).Why this matters for downstream consumers
pip-auditscansuv.lock(our dev/CI scope). Downstream consumers (uvx aignostics,pip install aignostics,uv add aignostics) resolve against the[project]metadata we publish to PyPI — they never see ouruv.lock. Without the lower bound inpyproject.toml, a fresh consumer install could resolvepygments<2.20.0and pull a vulnerable version even though our ownuv.lockis clean.Diff
"marshmallow>=3.26.2", # CVE-2025-68480 +"pygments>=2.20.0", # CVE-2026-4539 (>=2.20.0); transitive via rich "cryptography>=46.0.7", # CVE-2026-39892 (>=46.0.7); transitive via pyjwt[crypto]uv.lockregenerated — no version changes (pygments stays at 2.20.0, which already satisfies the new bound).Validation
make audit✅ — exits 0, no new findings; existing--ignore-vuln CVE-2026-3219(pip 26.0, no fix released) re-verified still firing.make lint✅ — ruff format + check + pyright + mypy all green.make test_unit✅ — 2 passed, 788 deselected (no behavioural change; this is metadata-only).pyproject.tomllower bounds re-verified against their advisories (locked ≥ bound).Routine context
This PR was opened by the
pysdk-audit-dailycloud routine via theqms:audit-vulnerabilitiesskill. The routine is configured to auto-merge for all severities once CI is green — for supply-chain CVEs, higher severity = higher urgency to ship. Human review happens on the linked Jira ticket post-merge if needed.Test plan
make auditpasses with re-added boundmake lintpassesmake test_unitpassesuv.lockshows no version changes🤖 Generated with Claude Code