[Security] Post-#192 default-branch PR queue stabilization and dependency gate closure

[seonghobae]

현재 역할

• 직무 / O0: v0.1.4 release-readiness stabilization
• 업무 / O1: post-[Security] Post-PR #191 GitHub Actions warning and branch-gate follow-through #192 default-branch PR queue stabilization and dependency/security gate closure
• 과업 / O2~O3: stale PR recovery, dependency alert closure, CodeQL workflow warning cleanup
• 작업 / O4~O7: evidence capture, branch update, patch PRs, CI/security gate verification, closure notes

현재 상태

Closed baseline:

• [Security] Post-PR #191 GitHub Actions warning and branch-gate follow-through #192 closed with default-branch post-merge evidence.
• docs: clarify supply-chain warning triage #193 merged the post-[Security] Post-PR #191 GitHub Actions warning and branch-gate follow-through #192 supply-chain warning triage policy update.

Open stabilization targets:

• Dependabot alert chore(deps-dev): bump @types/node from 22.19.15 to 25.4.0 #19: rand (GHSA-cq8v-f236-94qc) in apps/desktop/src-tauri/Cargo.lock.
• Dependabot alert chore(deps): bump actions/setup-python from 5.6.0 to 6.2.0 #10: Pygments (GHSA-5239-wwwm-4pmq) in services/analysis-engine/uv.lock.
• Dependabot alert chore: bootstrap setup baseline #1: glib (GHSA-wrw7-89jp-8q8g) in apps/desktop/src-tauri/Cargo.lock.
• github/codeql-action/upload-sarif DEP0169 warnings in trivy and ossf-scorecard default-branch runs.
• PR chore(deps-dev): bump vitest from 4.1.1 to 4.1.5 #173 is open and BEHIND the default branch.

현재 코드 기준 유효성

This successor issue keeps #192 from becoming a false finish line. The v0.1.4 queue is only stable when default-branch-compatible PR state, dependency/security alerts, security-workflow warning output, and required-gate evidence are reconciled from the current codebase.

상위/하위/인접 관계

• 상위 직무: v0.1.4 release readiness.
• 본 이슈 업무: default-branch PR queue and dependency/security gate stabilization.
• Historical references: [Security] Post-PR #191 GitHub Actions warning and branch-gate follow-through #192 and docs: clarify supply-chain warning triage #193 remain closed baseline evidence, not active blockers.
• 하위 과업:
  1. Recover or close stale PR chore(deps-dev): bump vitest from 4.1.1 to 4.1.5 #173 after default-branch update assessment.
  2. Close Dependabot alerts chore(deps-dev): bump @types/node from 22.19.15 to 25.4.0 #19, chore(deps): bump actions/setup-python from 5.6.0 to 6.2.0 #10, and chore: bootstrap setup baseline #1 through maintained fixes or narrow documented external-owner evidence.
  3. Remove or track CodeQL upload-sarif DEP0169 warnings from trivy and ossf-scorecard.
  4. Re-run required CI/security evidence and record closure summary.

실행 순서

1. O2: Confirm canonical PR continuity and default-branch queue state.
2. O3: Triage PR chore(deps-dev): bump vitest from 4.1.1 to 4.1.5 #173 BEHIND: update branch if still relevant, or supersede/close with evidence.
3. O3: Patch dependency alerts in maintained-fix order where possible: Pygments lock/audit exception removal, then Rust transitive evidence for rand/glib.
4. O3: Patch CodeQL upload-sarif DEP0169 warnings by moving to a maintained immutable action SHA, or record external-owner follow-up if warning persists.
5. O4: Run required branch checks, dependency/security gates, and targeted local verification.
6. O5~O7: Add closure evidence as issue/PR comments; keep PR body concise and avoid dumping logs.

완료 조건

• PR chore(deps-dev): bump vitest from 4.1.1 to 4.1.5 #173 is either updated and merge-ready, or closed/superseded with canonical PR evidence.
• Dependabot alerts chore(deps-dev): bump @types/node from 22.19.15 to 25.4.0 #19, chore(deps): bump actions/setup-python from 5.6.0 to 6.2.0 #10, and chore: bootstrap setup baseline #1 are closed or explicitly marked non-actionable with current owner-chain evidence.
• CodeQL upload-sarif DEP0169 warnings no longer appear in trivy and ossf-scorecard runs, or a narrow upstream-owned follow-up exists with exact run evidence.
• v0.1.4 milestone has a clear queue status summary.
• Required CI/security gates pass on the current default-branch-compatible head.

[coderabbitai]

🔗 Related PRs

#21 - chore(deps): consolidate green Dependabot updates [merged]
#54 - docs: align required checks with stable gates [merged]
#81 - chore: patch npm audit vulnerabilities and restore canonical docs [merged]
#190 - fix: enforce OSSF Scorecard publish constraints [merged]
#191 - fix: patch rust dependency advisory ownership [closed]
#193 - docs: clarify supply-chain warning triage [closed]

---

📝 Issue Planner

_{Check the box below or use the @coderabbitai plan command to generate an implementation plan and prompts that you can use with your favorite coding assistant.}

• Create Plan

---

🧪 Issue enrichment is currently in open beta.

You can configure auto-planning by selecting labels in the issue_enrichment configuration.

To disable automatic issue enrichment, add the following to your .coderabbit.yaml:

issue_enrichment:
  auto_enrich:
    enabled: false

💬 Have feedback or questions? Drop into our discord!

[seonghobae]

PR #195 is the first execution slice for this successor program.

Scope:

• fixes Dependabot alert chore(deps): bump actions/setup-python from 5.6.0 to 6.2.0 #10 by locking Pygments to 2.20.0,
• removes the stale GHSA-5239-wwwm-4pmq pip-audit ignore,
• updates the github/codeql-action/upload-sarif SHA pins in trivy and ossf-scorecard to v4.35.2 while keeping immutable SHA pinning,
• adds regression coverage for the removed Python audit exception.

Remaining tracked targets after PR #195: Dependabot alerts #19 and #1, PR #173 queue disposition, and default-branch confirmation that SARIF upload warnings are gone or externally tracked.

[seonghobae]

PR #195 landed default-branch Pygments/security-audit stabilization.

Evidence:

• PR Close Pygments audit exception #195 merged into develop at 2cc1615: Close Pygments audit exception #195
• Local verification before merge: supply-chain policy tests 46 passed; ruff passed; verify_supply_chain passed; security_gates passed; verify_docs passed; pip-audit --local --strict found no known vulnerabilities.
• PR-head gates passed on 198bc39, including CodeRabbit current-head approval/status, security-audit, trivy, OSSF-adjacent SARIF upload checks, CodeQL, dependency-review, sbom, secret-scan-gate, ci, and macOS/Windows build gates.
• develop post-merge runs for 2cc1615 passed: build-baseline 25170201269, ci 25170201264, security-audit 25170201334, trivy 25170201438, ossf-scorecard 25170201268, codeql 25170201256, sbom 25170201270, release 25170201298, bandit 25170201265, secret-scan-gate 25170201249.
• Dependabot alert chore(deps): bump actions/setup-python from 5.6.0 to 6.2.0 #10 (Pygments GHSA-5239-wwwm-4pmq) is now state=fixed.
• The targeted Node DEP0169 url.parse() warning no longer appears in the post-merge trivy/ossf upload-sarif logs. Remaining OSSF warnings are scorecard/SARIF data quality warnings (for example invalid URI 'no file associated with this alert'), not the fixed DEP0169 runtime warning.

Remaining tracked alerts:

• chore(deps-dev): bump @types/node from 22.19.15 to 25.4.0 #19 rand GHSA-cq8v-f236-94qc remains open.
• chore: bootstrap setup baseline #1 glib GHSA-wrw7-89jp-8q8g remains open.

[seonghobae]

Rust advisory owner-chain slice update:

• Branch pushed: stepwise/rust-alert-owner-chain-v2
• Commit: 38f5ac72a28af0e6f8b839cdabc0e0aa294faa7c
• Removed stale Rust audit exceptions for RUSTSEC-2026-0097 (rand 0.7.3) and RUSTSEC-2025-0057 (fxhash).
• Refreshed Tauri lockfile path to drop kuchikiki / selectors / phf 0.8 / proc-macro-hack and legacy rand 0.7.3.
• Kept only the externally owned glib 0.18.5 / RUSTSEC-2024-0429 exception, now documented as Tauri/wry/webkit2gtk/gtk GTK3-owned and guarded in scripts/checks/verify_supply_chain.py.
• Added follow-up tracker for the remaining upstream-owned glib exception: [Security] Track upstream-owned glib 0.18.5 RustSec exception #196.
• Narrowed Tauri capability from core:default to explicit event permissions.

Local evidence on the pushed head:

python3 scripts/checks/verify_supply_chain.py
Supply-chain verification passed

uv run --project services/analysis-engine pytest services/analysis-engine/tests/test_supply_chain_policy.py -q
55 passed in 0.25s

git diff --check
(no output)

[seonghobae]

PR #197 Rust advisory owner-chain slice landed and default-branch gates are green.

Merge evidence:

• PR: Close Rust advisory owner-chain gaps #197
• Head: 688f9d66f0d7da43eedc7badff8245255985fbec
• Merge commit on develop: d596c036c4b1054df7b67a3fff9a7ceeddbe3fbf
• Merged at: 2026-05-01T07:50:22Z
• CodeRabbit gate: SUCCESS / review completed on current head before merge.

PR gate evidence before merge:

• ci / build-and-test: pass
• dependency-review: pass
• security-audit: pass
• CodeQL: pass
• trivy-fs-scan: pass
• sbom: pass
• release-preflight: pass
• gate / build / windows: pass
• gate / build / macos: pass
• gate / ci / rust-check: pass
• build / windows / amd64: pass
• build / windows / arm64: pass
• build / macos / amd64: pass
• build / macos / arm64: pass

Post-merge develop evidence for d596c036c4b1054df7b67a3fff9a7ceeddbe3fbf:

• ci: success — https://github.com/seonghobae/bandscope/actions/runs/25207094921
• security-audit: success — https://github.com/seonghobae/bandscope/actions/runs/25207094906
• codeql: success — https://github.com/seonghobae/bandscope/actions/runs/25207094913
• trivy: success — https://github.com/seonghobae/bandscope/actions/runs/25207094907
• sbom: success — https://github.com/seonghobae/bandscope/actions/runs/25207094915
• release: success — https://github.com/seonghobae/bandscope/actions/runs/25207094904
• build-baseline: success — https://github.com/seonghobae/bandscope/actions/runs/25207094911
• bandit: success — https://github.com/seonghobae/bandscope/actions/runs/25207094917
• ossf-scorecard: success — https://github.com/seonghobae/bandscope/actions/runs/25207094924
• secret-scan-gate: success — https://github.com/seonghobae/bandscope/actions/runs/25207094910
• Dependabot Updates: success — https://github.com/seonghobae/bandscope/actions/runs/25207103553

Result:

• rand 0.7.3, fxhash, proc-macro-hack, and the stale RustSec exceptions are gone from the default branch.
• Remaining glib 0.18.5 exception is narrow, repo-controlled, path-guarded, and tracked by [Security] Track upstream-owned glib 0.18.5 RustSec exception #196 for upstream removal.
• Tauri capability exposure no longer uses core:default.

[seonghobae]

PR #198 landed and default-branch verification completed for the OSSF Scorecard SARIF upload-warning slice.

Evidence:

• PR Fix Scorecard SARIF upload warnings #198 merged: Fix Scorecard SARIF upload warnings #198
• Merge commit: e47e684
• Current-head CodeRabbit review: approved on d644fb2
• PR checks passed before merge, including CodeRabbit, build-baseline Windows/macOS, CI, CodeQL, dependency-review, security-audit, SBOM, secret-scan-gate, Trivy, and Bandit.
• Post-merge develop runs for e47e684 completed successfully:
  • ossf-scorecard: https://github.com/seonghobae/bandscope/actions/runs/25212295544
  • build-baseline: https://github.com/seonghobae/bandscope/actions/runs/25212295554
  • ci: https://github.com/seonghobae/bandscope/actions/runs/25212295572
  • codeql: https://github.com/seonghobae/bandscope/actions/runs/25212295552
  • security-audit: https://github.com/seonghobae/bandscope/actions/runs/25212295559
  • release: https://github.com/seonghobae/bandscope/actions/runs/25212295545
  • sbom: https://github.com/seonghobae/bandscope/actions/runs/25212295551
  • trivy: https://github.com/seonghobae/bandscope/actions/runs/25212295567
  • bandit: https://github.com/seonghobae/bandscope/actions/runs/25212295555
  • secret-scan-gate: https://github.com/seonghobae/bandscope/actions/runs/25212295548
• OSSF evidence: raw Scorecard SARIF still contains repository-level placeholder URIs before normalization, then the upload job logged Normalized 4 OSSF Scorecard repository-level SARIF locations and Successfully uploaded results for normalized-scorecard-results.sarif with no invalid-SARIF upload failure.

Follow-up note: the post-merge OSSF run still shows an upstream Node DEP0005 Buffer() deprecation warning emitted by actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c while downloading the Scorecard artifact. That is a separate external action-runtime warning from the SARIF URI upload failure fixed here; it remains part of the broader zero-warning backlog if no action version removes it yet.

[seonghobae]

Opened child/follow-up issue for the residual default-branch warning observed after PR #198:

• [Security] Remove actions/download-artifact Buffer deprecation warning #199 tracks the actions/download-artifact Node [DEP0005] Buffer() warning in the OSSF Scorecard artifact-download path.
• Relationship: [Security] Remove actions/download-artifact Buffer deprecation warning #199 is a child/follow-up of this stabilization program, predecessor PR Fix Scorecard SARIF upload warnings #198, related historical issue [Bug] Fix OSSF Scorecard publish failure after PR #185 merge #187, and adjacent release-download exposure in build-baseline.
• Milestone: v0.1.4 Default-branch Reconciliation & Zero-warning Stabilization.

[seonghobae]

PR #200 completed the child warning-remediation slice for #199.\n\nEvidence:\n- PR #200 merged: https://github.com/seonghobae/bandscope/pull/200\n- Merge commit on develop: 18a6c312bfa7b593ce41f03001697fc6a575ce0c\n- Post-merge develop OSSF Scorecard run: https://github.com/seonghobae/bandscope/actions/runs/25220530783\n- Run conclusion: success; jobs ossf-scorecard and scorecard-sarif-upload both succeeded.\n- Warning re-check: no DEP0005, Buffer(), DeprecationWarning, Warning, or deprecated matches in the fetched post-merge upload-job log.\n\nResult: #199 is closed. Remaining zero-warning work continues with the adjacent build-baseline artifact-download exposure and any fresh default-branch warnings/security-gate findings.