## GitHub CI Security Patch: Pinning pip>=26.0 to Fix Critical CVEs, Adds Automated Audit
A critical security update has been implemented in a GitHub CI workflow to address two specific vulnerabilities by pinning the `pip` package installer to version 26.0 or higher. The change directly fixes CVE-2025-8869, a tar extraction vulnerability, and CVE-2026-1703, a wheel path traversal issue. The fix corrects a previously flawed installation order where `pip` was upgraded last, meaning the vulnerable version was active during the installation of other critical packages like `setuptools` and `wheel`.

The modification was made to the `.github/workflows/ci.yml` configuration file. Beyond the version pin, the workflow now includes a new, automated `pip-audit --strict` step that runs after tests. This step is designed to automatically catch future dependency CVE regressions, turning a reactive patch into a proactive security gate. The update addresses a regression from a prior issue (#70), where `setuptools` and `wheel` were already pinned, but `pip` itself was left unconstrained, creating the security gap.

This change signals a shift towards stricter, automated supply chain security within CI/CD pipelines. The mandatory audit step creates a formal checkpoint, ensuring that any newly introduced vulnerable dependencies will fail the build. It represents a concrete move from manual vulnerability tracking to enforced, continuous compliance, raising the baseline security posture for the project's development lifecycle.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: cybersecurity, supply-chain, ci-cd, vulnerability, open-source
- **Credibility**: unverified
- **Published**: 2026-04-15 03:22:26
- **ID**: 64786
- **URL**: https://whisperx.ai/en/intel/64786