You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
For each high-severity alert: assess whether the vulnerable code path is reachable in Scriptty. Many high-severity CVEs in transitive deps are not exploitable in our usage.
Dependabot version-updates (configured in PR chore: add Dependabot config #198) will open patch PRs for fixable issues. For dev-only deps with no upstream fix, decide whether to dismiss with a reason.
Note
Dependabot security PRs land separately from this issue. This issue is the triage tracker — close it once each of the 9 has either been patched or explicitly dismissed.
Context
After enabling vulnerability alerts during the hygiene pass, GitHub immediately surfaced 9 vulnerabilities on `main`:
These were reported in the `git push` output during PR #208 work. They split across `npm` and `cargo` ecosystems (Dependabot reports per ecosystem).
Action
Note
Dependabot security PRs land separately from this issue. This issue is the triage tracker — close it once each of the 9 has either been patched or explicitly dismissed.