This is an automated email from the ASF dual-hosted git repository. sbp pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/tooling-trusted-releases.git
commit dd357f333f19977460bfcf1bec7eebeeb26878b0 Author: Dave Fisher <[email protected]> AuthorDate: Wed Mar 4 09:36:42 2026 -0800 Add vulnerability exceptions section to CONTRIBUTING.md closes #709 --- CONTRIBUTING.md | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index fb6b11b7..084c3112 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -170,6 +170,15 @@ make check-light Run `uv run --frozen pre-commit clean` if `pip-audit` reports false positive CVEs during checks. +## Vulnerability exceptions + +When temporarily ignoring a CVE in `pip-audit`: + +1. Add a TODO comment with expected resolution date. +2. Document justification in the PR description. +3. Create a tracking issue referencing the CVE. +4. Review exceptions monthly. + ## ASF requirements ### Contributor License Agreement --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
