You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
[HIGH] dependabot.yml configures gomod with directory: "/" but go.mod lives in /cli - Dependabot never auto-updates Go dependencies (confirmed: zero deps: commits in repo history; only GitHub Actions bumps exist)
[HIGH] golang.org/x/net is 3 minor versions behind (v0.51.0 → v0.54.0); x/net releases routinely include HTTP/2 security fixes and is a direct transitive dependency
[MEDIUM] ci.yml test job duplicates the "Set up Go" step (appears at lines 29-33 and again at 124-129), wasting runner time on every PR CI run
[MEDIUM] ci.yml test job runs "Build for multiple platforms" and "Upload artifacts" on all three OS matrix entries (ubuntu, windows, macOS) with no if: matrix.os == 'ubuntu-latest' guard - causes redundant cross-compilation and three conflicting uploads to the same artifact name "binaries" (release.yml correctly gates this to ubuntu-only)
[MEDIUM] codecov/codecov-action is pinned to a v4 SHA; v5 is the current major release - v4 had a supply chain incident and v5 includes security improvements
[MEDIUM] github.com/mark3labs/mcp-go is 10 minor versions behind (v0.44.1 → v0.54.0), which is the core MCP integration library for this project
[MEDIUM] github.com/azure/azure-dev/cli/azd is pinned to a pseudo-version (v0.0.0-20260228002641-8f080b39d69b) instead of the latest proper release tag v1.25.1, making it invisible to dependency scanning tools
[LOW] README.md line 27 hardcodes "Version 0.1.0 • 16 agents • 28 skills" in the ASCII banner example, while the current released version is 0.2.3; also the Go version badge shows "go-1.26.0" while go.mod requires go 1.26.1
[LOW] src/internal/skills package has no test files - the skill installation/listing logic (skills.go) has zero test coverage
[LOW] MCP server configuration in launcher.go uses @latest for all npx-launched MCP packages (e.g. @azure/mcp@latest, @playwright/mcp@latest) with no version pinning, creating non-deterministic runtime behavior and supply-chain exposure
full quality audit
gomodwithdirectory: "/"but go.mod lives in/cli- Dependabot never auto-updates Go dependencies (confirmed: zerodeps:commits in repo history; only GitHub Actions bumps exist)golang.org/x/netis 3 minor versions behind (v0.51.0 → v0.54.0); x/net releases routinely include HTTP/2 security fixes and is a direct transitive dependencytestjob duplicates the "Set up Go" step (appears at lines 29-33 and again at 124-129), wasting runner time on every PR CI runtestjob runs "Build for multiple platforms" and "Upload artifacts" on all three OS matrix entries (ubuntu, windows, macOS) with noif: matrix.os == 'ubuntu-latest'guard - causes redundant cross-compilation and three conflicting uploads to the same artifact name "binaries" (release.yml correctly gates this to ubuntu-only)codecov/codecov-actionis pinned to a v4 SHA; v5 is the current major release - v4 had a supply chain incident and v5 includes security improvementsgithub.com/mark3labs/mcp-gois 10 minor versions behind (v0.44.1 → v0.54.0), which is the core MCP integration library for this projectgithub.com/azure/azure-dev/cli/azdis pinned to a pseudo-version (v0.0.0-20260228002641-8f080b39d69b) instead of the latest proper release tagv1.25.1, making it invisible to dependency scanning toolsgo 1.26.1src/internal/skillspackage has no test files - the skill installation/listing logic (skills.go) has zero test coverage@latestfor all npx-launched MCP packages (e.g.@azure/mcp@latest,@playwright/mcp@latest) with no version pinning, creating non-deterministic runtime behavior and supply-chain exposureAutomated analysis - 10 finding(s)