fix(deps): replace safety with pip-audit to resolve CVE-2025-14009

CybotTM · CybotTM · commit 39b106c67f73 · 2026-02-25T14:58:33.000+01:00
safety pulls in nltk 3.9.2 which has a critical Zip Slip vulnerability (CVE-2025-14009) with no patched version available. pip-audit provides the same dependency vulnerability scanning without the nltk dependency, using the OSV database (PyPA-maintained). Signed-off-by: Sebastian Mendel <info@sebastianmendel.de>
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -96,18 +96,18 @@ jobs:
       - name: Install dependencies
         run: |
           python -m pip install --upgrade pip
-          pip install bandit safety
+          pip install bandit pip-audit
 
       - name: Run bandit
         run: |
           bandit -r cli_audit -f json -o bandit-report.json || true
           bandit -r cli_audit
         continue-on-error: true
 
-      - name: Run safety check
+      - name: Run pip-audit
         run: |
-          safety check --json || true
-          safety check
+          pip-audit --desc --fix --dry-run || true
+          pip-audit
         continue-on-error: true
 
   build:
diff --git a/pyproject.toml b/pyproject.toml
@@ -42,7 +42,7 @@ dev = [
     "isort>=7.0.0",
     "build>=1.3.0",
     "twine>=6.2.0",
-    "safety>=3.7.0",
+    "pip-audit>=2.10.0",
     "markdown>=3.10",
 ]
 
diff --git a/uv.lock b/uv.lock

Original file line number	Diff line number	Diff line change
`@@ -42,7 +42,7 @@ dev = [`
`42`	`42`	`"isort>=7.0.0",`
`43`	`43`	`"build>=1.3.0",`
`44`	`44`	`"twine>=6.2.0",`
`45`		`- "safety>=3.7.0",`
	`45`	`+ "pip-audit>=2.10.0",`
`46`	`46`	`"markdown>=3.10",`
`47`	`47`	`]`
`48`	`48`