From 53962ad6a68c937ade35ec93ce1d9288a09287bf Mon Sep 17 00:00:00 2001
From: Andriy Lysyuk <andriy@tinyfish.io>
Date: Wed, 25 Mar 2026 15:03:27 +0100
Subject: [PATCH 1/2] fix(security): risk-accept pygments ReDoS (ENG-13187)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- pygments 2.19.2 → risk-accepted (GHSA-5239-wwwm-4pmq, CVSS 3.3 LOW)
  No fix available — 2.19.2 is latest and marked last_affected.
  ignoreUntil: 2026-06-23

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 osv-scanner.toml | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/osv-scanner.toml b/osv-scanner.toml
index 5d9e5a38..8a8b4786 100644
--- a/osv-scanner.toml
+++ b/osv-scanner.toml
@@ -2,3 +2,8 @@
 id = "GHSA-2g6r-c272-w58r"
 ignoreUntil = "2026-06-15T00:00:00Z"
 reason = "langchain-core SSRF via image_url token counting (LOW). Fix requires upgrading langchain-core 0.3.x -> 1.2.11, a breaking major version change incompatible with our ^0.3.15 constraint. No semver-compatible fix available."
+
+[[IgnoredVulns]]
+id = "GHSA-5239-wwwm-4pmq"
+ignoreUntil = "2026-06-23T00:00:00Z"
+reason = "LOW severity (CVSS 3.3). pygments 2.19.2 is the latest release and is marked last_affected — no fix version published yet. ReDoS via GUID regex only exploitable with attacker-controlled syntax highlighting inputs."

From 8060f6dea478902d4a26c9334fda7ec04f9638b8 Mon Sep 17 00:00:00 2001
From: Andriy Lysyuk <andriy@tinyfish.io>
Date: Wed, 25 Mar 2026 15:29:21 +0100
Subject: [PATCH 2/2] fix(security): correct pygments advisory reason text
 (AdlLexer, not GUID regex)

---
 osv-scanner.toml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/osv-scanner.toml b/osv-scanner.toml
index 8a8b4786..7d2cfe83 100644
--- a/osv-scanner.toml
+++ b/osv-scanner.toml
@@ -6,4 +6,4 @@ reason = "langchain-core SSRF via image_url token counting (LOW). Fix requires u
 [[IgnoredVulns]]
 id = "GHSA-5239-wwwm-4pmq"
 ignoreUntil = "2026-06-23T00:00:00Z"
-reason = "LOW severity (CVSS 3.3). pygments 2.19.2 is the latest release and is marked last_affected — no fix version published yet. ReDoS via GUID regex only exploitable with attacker-controlled syntax highlighting inputs."
+reason = "LOW severity (CVSS 3.3). pygments 2.19.2 is the latest release and is marked last_affected — no fix version published yet. ReDoS in AdlLexer (pygments/lexers/archetype.py) is only exploitable with attacker-controlled syntax highlighting inputs."