From 13e248a2d9ffabce6c42afdfa7c2d16c043002f9 Mon Sep 17 00:00:00 2001 From: "pre-commit-ci[bot]" <66853113+pre-commit-ci[bot]@users.noreply.github.com> Date: Mon, 15 Jun 2026 16:43:38 +0000 Subject: [PATCH 1/2] [pre-commit.ci] pre-commit autoupdate MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit updates: - [github.com/astral-sh/ruff-pre-commit: v0.15.15 → v0.15.17](https://github.com/astral-sh/ruff-pre-commit/compare/v0.15.15...v0.15.17) --- .pre-commit-config.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index c188a9a..410167c 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -14,7 +14,7 @@ repos: - id: trailing-whitespace exclude: "tests/cis_tests/.*" - repo: https://github.com/astral-sh/ruff-pre-commit - rev: v0.15.15 + rev: v0.15.17 hooks: - id: ruff args: [--fix, --exit-non-zero-on-fix] From fed3b3165720fe2a1324aa7809d6da738991718a Mon Sep 17 00:00:00 2001 From: Chen Zhang Date: Mon, 15 Jun 2026 17:20:02 -0400 Subject: [PATCH 2/2] ci(grype): allowlist transitive pyo3 advisories embedded in rpds-py MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The grype gate fails on two pyo3 0.28.3 vulnerabilities iBeatles cannot remediate from this repo — pyo3 is statically linked into the rpds-py wheel (transitive: jupyter/jsonschema -> referencing -> rpds-py), fixable only by an upstream conda-forge rebuild against pyo3 >= 0.29.0: - GHSA-36hh-v3qg-5jq4 (HIGH): OOB read in nth/nth_back for PyList/PyTuple - GHSA-chgr-c6px-7xpp (MEDIUM): missing Sync bound on PyCFunction::new_closure CI-machinery only (no numbers-pipeline change). Each entry carries a revisit condition; the gate still fails on any other fixable medium+ finding. Assisted-With: Claude Opus 4.8 (1M context) --- .grype.yaml | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/.grype.yaml b/.grype.yaml index db29a3e..c3b827e 100644 --- a/.grype.yaml +++ b/.grype.yaml @@ -78,3 +78,17 @@ ignore: - vulnerability: CVE-2026-11824 package: name: sqlite + + # pyo3 0.28.3 is statically linked into the rpds-py wheel (transitive: + # jupyter/jsonschema -> referencing -> rpds-py). grype catalogs it from the + # compiled binary, but it is not fixable from this repo — it needs an upstream + # conda-forge rebuild of rpds-py against pyo3 >= 0.29.0 (the first patched + # version). Remove both once that lands (the lockfile-update workflow will pick + # it up). The same advisories were fixed directly in the group's own Rust repos + # (NEREIDS/bm3dornl). + - vulnerability: GHSA-36hh-v3qg-5jq4 # HIGH: pyo3 OOB read in nth/nth_back for PyList/PyTuple + package: + name: pyo3 + - vulnerability: GHSA-chgr-c6px-7xpp # MEDIUM: pyo3 missing Sync bound on PyCFunction::new_closure + package: + name: pyo3