## Security Alert: 2 Unfixable CVEs in Dependencies Flag Critical Action Gap
An automated security scan has flagged two critical vulnerabilities in a project's dependencies that currently have no available fix, creating a direct and unresolved exposure. The scanner, pdvd-aiops, identified both CVEs—CVE-2025-8869 and CVE-2026-1703—within the `pip` package. The core problem is that while a patched version (26.0) exists, `pip` is a transitive dependency not directly declared in the project's `pyproject.toml` file. This architectural layer makes the vulnerabilities unfixable through standard automated updates, leaving the system in a state of known risk.

The situation highlights a significant blind spot in software supply chain security: indirect dependencies. The scanner's report explicitly states the fix status for both CVEs as "No fix available," not because a patch doesn't exist, but because the dependency relationship prevents its automatic application. This creates a manual action requirement for developers, who must now find a way to force an upgrade of this deeply nested package or accept the lingering threat.

This incident underscores the escalating pressure on development and security teams to manage transitive dependency risks, a challenge that automated tools alone cannot yet fully resolve. It signals that even with proactive scanning, critical security gaps can persist due to structural constraints in dependency management, potentially leaving projects vulnerable until manual, often complex, intervention is executed.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: cybersecurity, software supply chain, vulnerability management, CVE, dependency hell
- **Credibility**: unverified
- **Published**: 2026-04-03 16:27:20
- **ID**: 49347
- **URL**: https://whisperx.ai/en/intel/49347