Daily Org Oversight Report — 2026-03-08 (UTC)

[fro-bot]

Summary Metrics

Metric	Count
Repositories	4
New issues (today)	0
Open issues (org-wide)	15
Open PRs (org-wide)	4
Stale issues (>30 days)	0
Stale PRs (>14 days)	0
Aging PRs (>7 days)	0
Failing main-branch checks	0
Dependabot alerts	9
Code scanning alerts	15
Secret scanning alerts	0

Note: Secret scanning is disabled on fro-bot/.github. Code scanning is not configured on fro-bot/fro-bot.github.io or fro-bot/systematic.

---

🔴 Critical Items

Dependabot — High-Severity Alerts

Repo	Package	Severity	Alert	Summary
.github	minimatch	High	#20	ReDoS via nested *() extglobs
.github	minimatch	High	#19	ReDoS via multiple non-adjacent GLOBSTAR
.github	minimatch	High	#18	ReDoS via multiple non-adjacent GLOBSTAR
.github	minimatch	High	#17	ReDoS via nested *() extglobs
.github	minimatch	High	#16	ReDoS via repeated wildcards
agent	tar	High	#27	Hardlink path traversal via drive-relative linkpath

Recommended action: Merge fro-bot/agent#280 to resolve the tar alert. Upgrade minimatch transitive dependency in .github (check Dependency Dashboard #2828).

Dependabot — Medium-Severity Alerts

Repo	Package	Severity	Alert	Summary
.github	ajv	Medium	#15	ReDoS when using $data option
.github	ajv	Medium	#14	ReDoS when using $data option
.github	undici	Medium	#9	Unbounded decompression chain in HTTP responses

Code Scanning — High-Severity Findings

Repo	Tool	Alert	Description
agent	CodeQL	#20	Potential file system race condition
agent	Scorecard	#16	Token-Permissions
agent	Scorecard	#13	Vulnerabilities
agent	Scorecard	#6	Maintained
agent	Scorecard	#5	Code-Review
agent	Scorecard	#4, #3	Token-Permissions
agent	Scorecard	#1	Branch-Protection
.github	Scorecard	#9	Vulnerabilities
.github	Scorecard	#6	Code-Review
.github	Scorecard	#1	Branch-Protection

Recommended action: Prioritize the CodeQL finding (agent#20) — it's the only non-Scorecard high finding. Address Scorecard items (branch protection, token permissions) as part of repo hardening.

Main Branch Status

All main-branch checks are passing. One Fro Bot check on .github is currently in progress (likely this run).

---

Aging PRs (>7 days no activity)

None. All 4 open PRs have been updated within the last 7 days.

Repo	PR	Title	Last Updated
.github	#2953	chore(deps): update actions/dependency-review-action to v4.9.0	2026-03-03
.github	#2951	chore(deps): update dependency jdx/mise to v2026.3.5	2026-03-08
.github	#2958	chore(deps): update dependency pnpm to v10.31.0	2026-03-08
agent	#280	fix(deps): bump tar override to 7.5.10 (GHSA-qffp-2rhf-9h96)	2026-03-07

Watch: .github #2953 was last updated 5 days ago — approaching the 7-day threshold.

---

Stale Issues (>30 days no activity)

None. All open issues have recent activity.

---

Unassigned Bugs / High-Signal Issues

No issues are labeled bug across the organization.

Other unassigned items of note:

• .github#2828 — Dependency Dashboard (unassigned, auto-managed by Renovate)
• agent#2 — Dependency Dashboard (unassigned, auto-managed by Renovate)

---

Repo Hotspots

Rank	Repository	Open PRs	Security Alerts	Notes
1	fro-bot/.github	3	13	5 high-severity minimatch dependabot alerts; 3 high Scorecard findings
2	fro-bot/agent	1	11	1 high CodeQL finding + 1 high tar dependabot alert; security PR open
3	fro-bot/fro-bot.github.io	0	0	Clean — no open issues, PRs, or alerts

fro-bot/systematic also clean with 0 open items.

---

Recommended Actions

• Merge agent#280 — resolves high-severity tar path traversal vulnerability
• Review & merge dependency update PRs in .github (#2951, #2958, #2953)
• Investigate minimatch transitive dependency in .github — 5 high-severity ReDoS alerts across 3 advisories
• Address ajv and undici medium-severity alerts in .github
• Triage CodeQL race condition finding in agent (#20)
• Harden repos: address Scorecard branch-protection, token-permissions, and code-review findings in both .github and agent
• Enable secret scanning on fro-bot/.github
• Close older Daily Org Oversight Report issues in .github (12 open reports accumulating)

[fro-bot]

Created Daily Org Oversight Report — 2026-03-08 (UTC) covering all 4 repositories in the fro-bot organization.

Key findings:

• 24 security alerts across 2 repos (9 dependabot + 15 code scanning)
• 6 high-severity dependabot alerts — 5 minimatch ReDoS in .github, 1 tar path traversal in agent
• 1 CodeQL finding — file system race condition in agent
• 4 open PRs — all active, none stale
• 0 new issues today, 0 stale issues, 0 unassigned bugs
• All main-branch checks passing

Top actions: merge agent#280 for tar fix, address minimatch dependency chain in .github, and review open dependency PRs.

---

Run Summary

Field	Value
Event	schedule
Repository	fro-bot/.github
Run ID	22812270840
Cache	miss
Session	ses_334b0f260ffeZ07uGkeqx5Rkt0

[marcusrbrown]

@fro-bot complete each recommended action in the report:

• Create an issue in the affected repo detailing the item that mentions @fro-bot for triage linking back to this one
• Fully investigate items that pertain to this repo and resolve within your ability
• Note repo items that could not be completed due to repeated errors, lack of permissions, etc.
• Check the item on the report when completed