fix(ci): ignore CVE-2026-47214 in pip-audit pending langchain-docling fix

[haroldship]

Summary

• Adds --ignore-vuln CVE-2026-47214 to the pip-audit step in CI, with a comment explaining why
• This is the short-term workaround (option 1) from [CI Problem]: Resolve docling CVE-2026-47214 (pinned <2.92 due to langchain-docling break) #45: docling is pinned to <2.92 because langchain-docling 2.0.0 doesn't support the slim package layout introduced in 2.92, so we can't take the 2.94.0 fix without breaking the integration

Test plan

• Confirm the Security (bandit + pip-audit) CI job passes
• uv run pip-audit --skip-editable --ignore-vuln GHSA-r7w7-9xr2-qq2r --ignore-vuln CVE-2026-47214 reports no known vulnerabilities locally

Closes #45

Summary by CodeRabbit

• Chores
  • Updated vulnerability scanning configuration in the continuous integration pipeline.

[coderabbitai]

Warning

Review limit reached

@haroldship, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 50 minutes and 57 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 53583153-a167-4de3-a659-1c24cf7ff405

📥 Commits

Reviewing files that changed from the base of the PR and between 8696049 and 783777b.

📒 Files selected for processing (1)

• justfile

📝 Walkthrough

Walkthrough

This PR adds a CVE ignore flag to the GitHub Actions security job. The pip-audit command now skips CVE-2026-47214 in the docling package with inline comments documenting the reason and linking to the related issue.

Changes

Security CI Configuration

Layer / File(s)	Summary
CVE ignore flag with documentation .github/workflows/ci.yml	A new --ignore-vuln CVE-2026-47214 flag is added to pip-audit alongside explanatory comments referencing the constraint issue, while preserving the existing ignore for GHSA-r7w7-9xr2-qq2r.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main change: adding a CVE ignore flag to the pip-audit step in CI, with context about the pending langchain-docling fix.
Linked Issues check	✅ Passed	The PR implements option 1 from issue #45, adding the --ignore-vuln CVE-2026-47214 flag to pip-audit with explanatory comments, fully satisfying the linked issue's coding requirements.
Out of Scope Changes check	✅ Passed	All changes are scoped to the CI configuration and directly address the CVE vulnerability handling requirement; no unrelated modifications are present.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/issue-45-docling-cve

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/ci.yml:
- Around line 99-103: Update the local security gate in the justfile so it
matches CI: modify the pip-audit invocation used by the just target (the local
"security" command in justfile) to include the same ignore flags as CI by adding
--ignore-vuln GHSA-r7w7-9xr2-qq2r and --ignore-vuln CVE-2026-47214 to the
existing uv run pip-audit --skip-editable command so local `just security` and
the CI pip-audit step behave identically.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: b3526f9c-ed0d-427a-9811-c8309105133d

📥 Commits

Reviewing files that changed from the base of the PR and between 99a7326 and 8696049.

📒 Files selected for processing (1)

• .github/workflows/ci.yml

[haroldship]

@coderabbitai Good catch — fixed in 783777b. The `just security` target now mirrors CI's pip-audit invocation (both `--ignore-vuln` flags), with a comment explaining the new `CVE-2026-47214` ignore alongside the existing `GHSA-r7w7-9xr2-qq2r` one.

[haroldship]

Opened #49 to track reversing this workaround once langchain-docling supports docling >=2.92 (and our transitive constraints allow it).

[coderabbitai]

Tip

For best results, initiate chat on the files or code changes.

@haroldship: Thanks for the update! Great to hear the just security target is now in sync with CI — having both --ignore-vuln flags and the explanatory comments in one place makes it much easier for anyone running local security checks to understand the rationale. 🐇✨

---

If you found this review helpful, would you consider giving us a shout-out on X?

Thank you for using CodeRabbit!

[Sergey-Zeltyn]

Approved.
We should remove --ignore-vuln once langchain-docling supports docling>=2.94