build(security): ignore pygments CVE-2026-4539 in pip-audit (#2333)

mattbit · kevinmessiaen · web-flow · commit 095967537df1 · 2026-03-25T13:22:52.000+01:00
pip-audit fails until pygments ships a fix for this low-severity ReDoS issue. The Makefile documents the TODO to remove --ignore-vuln when a patch exists.

Co-authored-by: Kevin Messiaen &lt;kevin.messiaen@icloud.com&gt;
diff --git a/Makefile b/Makefile
@@ -79,7 +79,9 @@ typecheck: ## Run type checking with basedpyright
 	uv tool run basedpyright --level error .
 
 security: ## Check for security vulnerabilities
-	uv run pip-audit --skip-editable
+	# TODO: Remove --ignore-vuln CVE-2026-4539 flag when patch exists for pygments
+	# This is a low severity redos vulnerability: https://www.cve.org/CVERecord?id=CVE-2026-4539
+	uv run pip-audit --skip-editable --ignore-vuln CVE-2026-4539
 
 generate-licenses: ## Generate licenses
 	uv tool run licensecheck --license MIT \
