4747 hooks :
4848 - id : mypy
4949 name : mypy (strict mode for code health)
50- additional_dependencies :
51- ["types-PyYAML", "types-aiofiles", "types-colorama", "types-requests", "pytest", "pytest-asyncio "]
50+ # Only include type stubs actually used by the project
51+ additional_dependencies : ["types-PyYAML"]
5252 files : ^src/
5353
5454 # ============================================================================
@@ -60,6 +60,17 @@ repos:
6060 hooks :
6161 - id : pip-audit
6262 name : pip-audit (CVE detection in dependencies)
63+ # CVE Ignores Documentation:
64+ # - GHSA-4xh5-x5gv-qwph (CVE-2025-8869): pip tar extraction path traversal.
65+ # Fix planned for pip 25.3 (not yet released). Low risk: requires attacker-controlled
66+ # sdist AND Python < 3.11.4. Project uses Python 3.9+ with modern interpreters.
67+ # Review after pip 25.3 release.
68+ # - GHSA-gm62-xv2j-4w53 (CVE-2025-66418): urllib3 decompression chain DoS.
69+ # Fixed in urllib3 2.6.0. Transitive dependency from pip-audit itself.
70+ # Project pins urllib3>=2.6.0 in pyproject.toml.
71+ # - GHSA-2xpw-w6gg-jr37 (CVE-2025-66471): urllib3 highly compressed data handling.
72+ # Fixed in urllib3 2.6.0. Transitive dependency from pip-audit itself.
73+ # Project pins urllib3>=2.6.0 in pyproject.toml.
6374 args :
6475 [
6576 " --desc" ,
@@ -131,7 +142,6 @@ repos:
131142 " --ignore-imports=yes" ,
132143 ]
133144 files : ^src/
134- additional_dependencies : ["types-PyYAML", "types-aiofiles", "types-colorama", "types-requests"]
135145
136146 # ============================================================================
137147 # LINTING (focused on correctness, not style)
0 commit comments