docs: revert supply-chain vulnerability documentation from #580#630
Merged
olivermeyer merged 1 commit intomainfrom May 7, 2026
Merged
docs: revert supply-chain vulnerability documentation from #580#630olivermeyer merged 1 commit intomainfrom
olivermeyer merged 1 commit intomainfrom
Conversation
olivermeyer
requested review from
a team and
helmut-hoffer-von-ankershoffen
as code owners
olivermeyer
force-pushed
the
docs/revert-supply-chain-vulns
branch
from
677b933 to
861acfa
Compare
kruegener
approved these changes
May 6, 2026
Codecov Report✅ All modified and coverable lines are covered by tests. |
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
olivermeyer
force-pushed
the
docs/revert-supply-chain-vulns
branch
from
861acfa to
370045d
Compare
|
Comment on lines
148
to
+150
| # pip-audit to check for vulnerabilities. | ||
| # Every --ignore-vuln entry must correspond to a row in SUPPLY_CHAIN_VULNERABILITIES.md | ||
| # with rationale, scope, downstream-exposure assessment, and removal condition. | ||
| # Every --ignore-vuln entry must be documented with rationale (inline comment below) | ||
| # explaining severity, scope, downstream-exposure assessment, and removal condition. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Why?
The automated solution for bumping transitive dependencies on vulnerability patches (introduced in #580) is being disabled. The accompanying documentation —
SUPPLY_CHAIN_VULNERABILITIES.md, its reference inSECURITY.md, and the link in the README footer — described that now-removed workflow and should not outlive it.How?
Deletes
SUPPLY_CHAIN_VULNERABILITIES.mdin full (including the record-keeping update from #605), and removes the two references to it added inSECURITY.mdanddocs/partials/README_footer.md. No code, dependency constraints, or CI changes are touched.