Upgrades the pygments package, which I guess has a vulnerability

strips git and normalizes torch, which also needs no hashes output
Ok, doesn't do sarif, and strip the Git dependency
2026-05-04 21:55:25 +00:00 · 2026-05-02 13:03:00 -07:00 · 2026-05-02 12:59:09 -07:00 · 2026-05-02 12:51:04 -07:00 · 2026-05-02 11:02:44 -07:00 · 2026-05-02 11:00:05 -07:00
2 changed files with 25 additions and 3 deletions
@@ -27,6 +27,28 @@ jobs:
          persist-credentials: false
      - name: Run zizmor
        uses: zizmorcore/zizmor-action@71321a20a9ded102f6e9ce5718a2fcec2c4f70d8 # v0.5.2
+  pip-audit:
+    name: pip-audit
+    runs-on: ubuntu-24.04
+    permissions:
+      contents: read
+    steps:
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+      - name: Set up uv
+        uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
+      - name: Export all requirements from lockfile
+        run: |
+          uv export --all-groups --no-hashes --format requirements-txt \
+            | grep -v " @ git+" \
+            | sed 's/==\([0-9][0-9.]*\)+[a-zA-Z0-9_]*/==\1/g' \
+            > /tmp/requirements-auditable.txt
+      - name: Run pip-audit
+        uses: pypa/gh-action-pip-audit@1220774d901786e6f652ae159f7b6bc8fea6d266 # v1.1.0
+        with:
+          inputs: /tmp/requirements-auditable.txt
  semgrep:
    name: Semgrep CE
    runs-on: ubuntu-24.04
@@ -3695,11 +3695,11 @@ wheels = [

 [[package]]
 name = "pygments"
-version = "2.19.2"
+version = "2.20.0"
 source = { registry = "https://pypi.org/simple" }
-sdist = { url = "https://files.pythonhosted.org/packages/b0/77/a5b8c569bf593b0140bde72ea885a803b82086995367bf2037de0159d924/pygments-2.19.2.tar.gz", hash = "sha256:636cb2477cec7f8952536970bc533bc43743542f70392ae026374600add5b887", size = 4968631, upload-time = "2025-06-21T13:39:12.283Z" }
+sdist = { url = "https://files.pythonhosted.org/packages/c3/b2/bc9c9196916376152d655522fdcebac55e66de6603a76a02bca1b6414f6c/pygments-2.20.0.tar.gz", hash = "sha256:6757cd03768053ff99f3039c1a36d6c0aa0b263438fcab17520b30a303a82b5f", size = 4955991, upload-time = "2026-03-29T13:29:33.898Z" }
 wheels = [
-    { url = "https://files.pythonhosted.org/packages/c7/21/705964c7812476f378728bdf590ca4b771ec72385c533964653c68e86bdc/pygments-2.19.2-py3-none-any.whl", hash = "sha256:86540386c03d588bb81d44bc3928634ff26449851e99741617ecb9037ee5ec0b", size = 1225217, upload-time = "2025-06-21T13:39:07.939Z" },
+    { url = "https://files.pythonhosted.org/packages/f4/7e/a72dd26f3b0f4f2bf1dd8923c85f7ceb43172af56d63c7383eb62b332364/pygments-2.20.0-py3-none-any.whl", hash = "sha256:81a9e26dd42fd28a23a2d169d86d7ac03b46e2f8b59ed4698fb4785f946d0176", size = 1231151, upload-time = "2026-03-29T13:29:30.038Z" },
 ]

 [[package]]
Author	SHA1	Message	Date
Trenton Holmes	8b81e68400	Upgrades the pygments package, which I guess has a vulnerability	2026-05-02 13:03:00 -07:00
Trenton Holmes	261b692b4b	strips git and normalizes torch, which also needs no hashes output	2026-05-02 12:59:09 -07:00
Trenton Holmes	ab94079674	Ok, doesn't do sarif, and strip the Git dependency	2026-05-02 12:51:04 -07:00
Trenton Holmes	556d5bd3c8	probably connects it to the Github UI	2026-05-02 11:02:44 -07:00
Trenton Holmes	e1c8c6769f	Introduces a pip-audit job	2026-05-02 11:00:05 -07:00