mirror of
https://github.com/safishamsi/graphify.git
synced 2026-07-11 18:07:31 +00:00
36b5e5cb29
`safety` was declared in the dev group but never invoked — the CI security-scan job only runs bandit and pip-audit, and pip-audit already provides the same dependency-CVE scanning. Its only practical effect was pulling in nltk, which carries an unpatched HIGH path-traversal advisory (GHSA-p4gq-832x-fm9v) with no fix available. Removing safety drops nltk (and safety-schemas/typer/tenacity/tomlkit) from the lockfile entirely, closing the alert with no loss of coverage. Updated the stale CI comment that referenced safety. Full suite green (2537 passed); pip-audit and bandit unaffected. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>