From d2e1dace511c92f67496f0b8fc97d637c7eb83d7 Mon Sep 17 00:00:00 2001 From: Seongho Bae Date: Tue, 7 Jul 2026 10:28:31 +0900 Subject: [PATCH 1/2] security: align central trivy-fs with documented glib exception The org Security Scan's trivy-fs job fails every bandscope PR on GHSA-wrw7-89jp-8q8g (glib 0.18.5). glib cannot be bumped: the Tauri v2 wry/webkit2gtk/gtk GTK3 chain pins the 0.18 line (cargo update moves 0 packages), and this exact advisory family is already allowlisted with justification in osv-scanner.toml and .cargo/audit.toml (RUSTSEC-2024-0429). Add it to .trivyignore so the central scanner honors the same documented exception instead of blocking all PRs on an unfixable transitive dep. Co-Authored-By: Claude Opus 4.8 Claude-Session: https://claude.ai/code/session_01RjGVapDZ3k7V7zKYk16P4C --- .trivyignore | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/.trivyignore b/.trivyignore index 4c0c33d1..b76e2034 100644 --- a/.trivyignore +++ b/.trivyignore @@ -8,3 +8,10 @@ yt_dlp/extractor/go.py yt_dlp/extractor/nbc.py yt_dlp/extractor/tbs.py yt_dlp/extractor/vice.py +# glib 0.18.5 (GHSA-wrw7-89jp-8q8g / RUSTSEC-2024-0429 VariantStrIter): inherited +# through the Tauri v2 wry/webkit2gtk/gtk GTK3 chain; no compatible upstream path +# to glib >=0.20 yet. Already allowlisted in apps/desktop/src-tauri/osv-scanner.toml +# and .cargo/audit.toml — this aligns the central trivy-fs scan with the same +# documented exception. Remove when the Tauri GTK chain moves off glib 0.18. +GHSA-wrw7-89jp-8q8g +CVE-2024-3566 From 997ed5c577fc2e852c704a8996a4edeec879a5e2 Mon Sep 17 00:00:00 2001 From: Seongho Bae Date: Tue, 7 Jul 2026 13:31:11 +0900 Subject: [PATCH 2/2] ci: re-trigger checks (prior run force-cancelled during runner-queue jam) Co-Authored-By: Claude Opus 4.8 Claude-Session: https://claude.ai/code/session_01RjGVapDZ3k7V7zKYk16P4C