fix(deps): pin pip>=26.1 for CVE-2026-3219

[ian-flores]

Summary

• Pins pip>=26.1 in [project].dependencies to resolve CVE-2026-3219 (medium-severity tar/zip archive confusion in pip).
• Follows the existing CVE-pin convention in pyproject.toml (e.g. pygments>=2.20.0 # CVE-2026-4539 fix, python-multipart>=0.0.26 # CVE-2026-40347 fix).
• Updates uv.lock to bump pip 26.0.1 → 26.1 (only entry touched).

Why

The Dependency Audit CI job runs pip-audit --skip-editable and was failing on every PR because the locked pip 26.0.1 is vulnerable to CVE-2026-3219. The fix landed upstream in pypa/pip#13870 and shipped in pip 26.1. Pinning the floor unblocks the audit on this branch and on every other open PR (#229, #230, #231, #232, #233).

Test plan

• uv lock resolves to pip 26.1
• uv run pip-audit --skip-editable reports No known vulnerabilities found
• No other dependency churn in the lockfile diff

[Copilot]

Pull request overview

Pins a minimum pip version to address CVE-2026-3219 and unblock the repo’s pip-audit CI job by ensuring the resolved/locked pip is non-vulnerable.

Changes:

• Add pip>=26.1 to pyproject.toml dependencies (with CVE note).
• Update uv.lock to resolve pip to 26.1 and reflect the new dependency in the editable posit-vip metadata.

Reviewed changes

Copilot reviewed 1 out of 2 changed files in this pull request and generated 1 comment.

File	Description
pyproject.toml	Adds a pip>=26.1 floor to address CVE-2026-3219.
uv.lock	Updates the locked pip artifact to 26.1 and updates editable package metadata accordingly.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[github-actions]

PR Preview Action v1.8.1
Preview removed because the pull request was closed.
2026-04-30 02:01 UTC