Get CI passing again by ignoring the pip CVE.

Julian · Julian · commit 88c8ff206349 · 2025-10-06T07:31:16.000-04:00
It's not relevant to us, pip isn't a dependency.

This fix isn't quite right though as clearly we should run pip-audit in
a way where we don't get false positives when its own dependencies (here
pip) have vulnerabilities.

Running pip-audit on a library (as opposed to an end-user application)
isn't the most common use however, so it doesn't appear there's a
straightforward way to do this unless we come up with one ourselves.
diff --git a/noxfile.py b/noxfile.py
@@ -104,7 +104,14 @@ def audit(session, installable):
     Audit dependencies for vulnerabilities.
     """
     session.install("pip-audit", installable)
-    session.run("python", "-m", "pip_audit")
+    session.run(
+        "python",
+        "-m",
+        "pip_audit",
+        "--ignore-vuln",
+        "GHSA-4xh5-x5gv-qwph",  # pip vuln, not relevant, but we need to figure
+                                # out how to properly run pip-audit
+    )
 
 
 @session()
