docs: revert supply-chain vulnerability documentation from #580

olivermeyer · claude · olivermeyer · commit 59506a28e571 · 2026-05-07T09:08:58.000+02:00
Co-Authored-By: Claude Sonnet 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/SECURITY.md b/SECURITY.md
@@ -31,8 +31,6 @@ d. **[trivy](https://trivy.dev/latest/)**: Pre commit to GitHub scans Python dep
 
 e. **[ox.security](https://www.ox.security/)**: Monitors dependencies for vulnerabilities pre and post release on GitHub.
 
-How we handle vulnerabilities in our Python dependency supply chain — including the default path of raising lower bounds in `pyproject.toml`, and the list of advisories we have consciously accepted because no upstream fix is available yet — is documented in [SUPPLY_CHAIN_VULNERABILITIES.md](SUPPLY_CHAIN_VULNERABILITIES.md).
-
 ### 2. License Compliance Checks and Software Bill of Materials (SBOM)
 
 a. **[pip-licenses](https://pypi.org/project/pip-licenses/)**: Inspects and matches the licenses of all dependencies with allow list to ensure compliance with licensing requirements and avoid using components with problematic licenses. `licenses.csv`, `licenses.json` and `licenses_grouped.json` published [per release](https://github.com/aignostics/python-sdk/releases).
diff --git a/SUPPLY_CHAIN_VULNERABILITIES.md b/SUPPLY_CHAIN_VULNERABILITIES.md
diff --git a/docs/partials/README_footer.md b/docs/partials/README_footer.md
@@ -3,9 +3,6 @@
 1. Inspect our
    [security policy](https://aignostics.readthedocs.io/en/latest/security.html)
    with detailed documentation of checks, tools and principles.
-   How we handle vulnerabilities in our Python dependency supply chain is
-   documented in
-   [SUPPLY_CHAIN_VULNERABILITIES.md](https://github.com/aignostics/python-sdk/blob/main/SUPPLY_CHAIN_VULNERABILITIES.md).
 1. Inspect how we achieve
    [operational excellence](https://aignostics.readthedocs.io/en/latest/operational_excellence.html)
    with information on our modern toolchain and software architecture.
diff --git a/noxfile.py b/noxfile.py
@@ -146,8 +146,8 @@ def audit(session: nox.Session) -> None:
     _setup_venv(session)
 
     # pip-audit to check for vulnerabilities.
-    # Every --ignore-vuln entry must correspond to a row in SUPPLY_CHAIN_VULNERABILITIES.md
-    # with rationale, scope, downstream-exposure assessment, and removal condition.
+    # Every --ignore-vuln entry must be documented with rationale (inline comment below)
+    # explaining severity, scope, downstream-exposure assessment, and removal condition.
     try:
         session.run(
             "pip-audit",
diff --git a/pyproject.toml b/pyproject.toml
@@ -125,7 +125,7 @@ dependencies = [
     "urllib3>=2.6.3,<3", # CVE-2026-21441 requires >= 2.6.3
     "wsidicom>=0.28.1,<1",
     "fastmcp>=3.2.0,<4",
-    # Transitive overrides (see SUPPLY_CHAIN_VULNERABILITIES.md)
+    # Transitive overrides: lower bounds enforced to shield consumers from known CVEs/GHSAs.
     # WARNING: one cannot negate or downgrade a dependency required here. use override-dependencies for that.
     "rfc3987; sys_platform == 'never'", # GPLv3
     "h11>=0.16.0",                      # CVE-2025-43859
