ci: drop CVE-2026-3219 workaround, bump pip>=26.1.1

.github/workflows/ci.yml

@@ -75,7 +75,7 @@ jobs:
 
       - name: Install pre-commit
         run: |
-          python -m pip install --upgrade pip
+          python -m pip install --upgrade "pip>=26.1.1"
           pip install pre-commit
 
       - name: Cache pre-commit hooks
@@ -149,7 +149,7 @@ jobs:
 
       - name: Install dependencies
         run: |
-          python -m pip install --upgrade pip
+          python -m pip install --upgrade "pip>=26.1.1"
           pip install -e ".[test]"
 
       - name: Create required directories
@@ -226,7 +226,7 @@ jobs:
 
       - name: Install dependencies
         run: |
-          python -m pip install --upgrade pip
+          python -m pip install --upgrade "pip>=26.1.1"
           pip install -e ".[test]"
 
       - name: Create required directories
@@ -285,7 +285,7 @@ jobs:
 
       - name: Install build tools
         run: |
-          python -m pip install --upgrade pip
+          python -m pip install --upgrade "pip>=26.1.1"
           pip install build twine
 
       - name: Build sdist and wheel
@@ -336,7 +336,7 @@ jobs:
       - name: Install project dependencies
         shell: bash -l {0}
         run: |
-          python -m pip install --upgrade pip
+          python -m pip install --upgrade "pip>=26.1.1"
           pip install -e ".[test]"
 
       - name: Generate Dependency Documentation
@@ -391,7 +391,7 @@ jobs:
 
       - name: Install security tools
         run: |
-          python -m pip install --upgrade pip
+          python -m pip install --upgrade "pip>=26.1.1"
           # ``[sarif]`` extra installs the optional SARIF formatter (jschema-to-python).
           pip install "bandit[sarif]" pip-audit
 
@@ -433,9 +433,7 @@ jobs:
           echo "╚════════════════════════════════════════════════════════════╝"
           pip install -e ".[test]"
           pip freeze | grep -ivE "^juniper[-_]data[-_]client" > reports/security/requirements.txt
-          # --ignore-vuln CVE-2026-3219: pip 26.0.1 on the runner image
-          # has no fix available as of 2026-04-29.
-          pip-audit -r reports/security/requirements.txt --strict --desc on --ignore-vuln CVE-2026-3219 \
+          pip-audit -r reports/security/requirements.txt --strict --desc on \
             || (echo "::error::Critical/High vulnerabilities found in dependencies" && exit 1)
 
       - name: Upload Security Reports

.github/workflows/scheduled-tests.yml

@@ -55,7 +55,7 @@ jobs:
 
       - name: Install dependencies
         run: |
-          python -m pip install --upgrade pip
+          python -m pip install --upgrade "pip>=26.1.1"
           pip install -e ".[test]" || pip install -e ".[dev]" || pip install -e .
 
       - name: Run slow / integration tests

.github/workflows/security-scan.yml

@@ -21,7 +21,7 @@ jobs:
 
       - name: Install dependencies
         run: |
-          python -m pip install --upgrade pip
+          python -m pip install --upgrade "pip>=26.1.1"
           pip install "bandit[sarif]" pip-audit
           pip install -e ".[dev]"
 
@@ -34,12 +34,7 @@ jobs:
           bandit -r juniper_data_client --confidence-level medium --severity-level medium
 
       - name: Run pip-audit (Dependency Vulnerabilities)
-        # --ignore-vuln CVE-2026-3219: pip 26.0.1 (pre-installed on the
-        # GitHub Actions runner image) is flagged for the concatenated
-        # tar/ZIP confusion issue. As of 2026-04-29 there is no fixed
-        # pip release. Re-evaluate and remove this flag when pip
-        # publishes a fix.
-        run: pip-audit --strict --desc on --ignore-vuln CVE-2026-3219
+        run: pip-audit --strict --desc on
 
       - name: Upload Security Reports
         uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a  # v7.0.1