You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
GitHub reports 9 open Dependabot "Security and quality" advisories. This is an umbrella tracking issue: each advisory already has a dedicated remediation issue, but there was no single place to see the full set and its blocked/unblocked status. The list below is the source of truth; close this when all 9 alerts clear.
All 9 reach us transitively — none are direct dependencies of our crates. Seven root in a single dep (fnox 0.1), two in microsandbox, one in quickjs_runtime.
This issue closes when gh api repos/semiotic-agentium/agentium-os/dependabot/alerts --jq '[.[]|select(.state=="open")]|length' returns 0, and the lockfile no longer contains jsonwebtoken 9.3.1, rustls-webpki 0.101.7, rand 0.7.3, atty 0.2.14, hickory-proto 0.25.2, or lru 0.14.0.
Follow-up from #531 (the 16 advisories cargo update alone closed).
Summary
GitHub reports 9 open Dependabot "Security and quality" advisories. This is an umbrella tracking issue: each advisory already has a dedicated remediation issue, but there was no single place to see the full set and its blocked/unblocked status. The list below is the source of truth; close this when all 9 alerts clear.
All 9 reach us transitively — none are direct dependencies of our crates. Seven root in a single dep (
fnox 0.1), two inmicrosandbox, one inquickjs_runtime.The 9 alerts
IterMut)Remediation status
fnox0.1 → 1.x (closes 6: docs: guide and checklist for adding host tools #4, refactor: deduplicate FalkorDB test container setup #16, ci: prevent 60s recompilation stalls in e2e runner tests #17, test: eliminate per-test FalkorDB container startup overhead #19, Implement a ReAct loop and use provenance history #25, and feat: notion tool mvp #6 if newer fnox dropsatty). Currently blocked: the bump clears onlyranddirectly and pulls alibudevdependency via FIDO2; prior attempt (PR chore(deps): resolve secrets via fnox-core 1.x instead of the fnox CLI crate #549) was abandoned. Waiting on upstream, or a decision to replacefnox. This is the highest-leverage fix — 6 of 9 alerts, including the high-severity rustls-webpki CRL panic (Implement a ReAct loop and use provenance history #25).microsandbox=0.3.13 → 0.4.x (closes Harden A2A/QuickJS stream lifecycle: avoid silent timeouts, preserve in-flight work, and make timeout failures explicit #30; closes single nextest run in CI with JUnit reporting #29 only if 0.4.x pulls hickory-proto ≥ 0.26.x — single nextest run in CI with JUnit reporting #29 has no fix on the 0.25.x line, so verify against the lockfile). Gated behind thesandbox-providerfeature; upstream warns of breaking changes between minors.quickjs_runtime0.15.7 → 0.17.x (closes feat: Implement JSON Schema to BAML type generation with comprehensiv… #1).Verification
This issue closes when
gh api repos/semiotic-agentium/agentium-os/dependabot/alerts --jq '[.[]|select(.state=="open")]|length'returns0, and the lockfile no longer containsjsonwebtoken 9.3.1,rustls-webpki 0.101.7,rand 0.7.3,atty 0.2.14,hickory-proto 0.25.2, orlru 0.14.0.Follow-up from #531 (the 16 advisories
cargo updatealone closed).