This is an automated email from the ASF dual-hosted git repository.
wave pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tooling-trusted-releases.git
The following commit(s) were added to refs/heads/main by this push:
new 3dda4df3 Add vulnerability exceptions section to CONTRIBUTING.md
3dda4df3 is described below
commit 3dda4df354dc8c6fd286a118461532be41147813
Author: Dave Fisher <[email protected]>
AuthorDate: Wed Mar 4 09:36:42 2026 -0800
Add vulnerability exceptions section to CONTRIBUTING.md
closes #709
---
CONTRIBUTING.md | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
index fb6b11b7..89ec4d20 100644
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -170,6 +170,14 @@ make check-light
Run `uv run --frozen pre-commit clean` if `pip-audit` reports false positive
CVEs during checks.
+## Vulnerability Exceptions
+
+When temporarily ignoring a CVE in `pip-audit`:
+1. Add a TODO comment with expected resolution date.
+2. Document justification in the PR description.
+3. Create a tracking issue referencing the CVE.
+4. Review exceptions monthly.
+
## ASF requirements
### Contributor License Agreement
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
