Todo: remove `--ignore-vuln CVE-2026-4539`

> @copilot fix the ci (sca) daily

Fixed in `8369255`.

The SCA job was failing because `pygments 2.19.2` (transitive dep via `rich`) has `CVE-2026-4539` (ReDoS in `AdlLexer`) with **no patched release available yet** ([advisory](https://github.com/advisories/GHSA-5239-wwwm-4pmq)).

Changes to `.github/workflows/devsecops.yml`:
- Added `pip install -e ".[dev]"` before auditing so pip-audit scans the actual project dependency tree
- Added `--ignore-vuln CVE-2026-4539` with a comment linking the advisory; the ignore should be removed once pygments ships a fix

_Originally posted by @Copilot in https://github.com/castops/cast-cli/pull/2#issuecomment-4123994781_

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Todo: remove `--ignore-vuln CVE-2026-4539` #3

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Todo: remove --ignore-vuln CVE-2026-4539 #3

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions

Todo: remove `--ignore-vuln CVE-2026-4539` #3