Skip to content
This repository was archived by the owner on Apr 7, 2026. It is now read-only.

sync: merge upstream (2026-03-26) #10

Closed
TSavo wants to merge 158 commits into from

sync: merge upstream/master (2026-03-26)

8ea175f
Select commit
Loading
Failed to load commit list.
Closed

sync: merge upstream (2026-03-26) #10

sync: merge upstream/master (2026-03-26)
8ea175f
Select commit
Loading
Failed to load commit list.
GitHub Advanced Security / CodeQL failed Mar 26, 2026 in 4s

15 new alerts including 1 critical severity security vulnerability

New alerts in code changed by this pull request

Security Alerts:

  • 1 critical
  • 9 high
  • 5 medium

Alerts not introduced by this pull request might have been detected because the code changes were too large.

See annotations below for details.

View all branch alerts.

Annotations

Check warning on line 26 in .github/workflows/docker.yml

See this annotation in the file changed.

@github-advanced-security github-advanced-security / CodeQL

Unpinned tag for a non-immutable Action in workflow 

Unpinned 3rd party Action 'Docker' step [Uses Step](1) uses 'docker/login-action' with ref 'v3', not a pinned commit hash

Check warning on line 33 in .github/workflows/docker.yml

See this annotation in the file changed.

@github-advanced-security github-advanced-security / CodeQL

Unpinned tag for a non-immutable Action in workflow 

Unpinned 3rd party Action 'Docker' step [Uses Step](1) uses 'docker/setup-buildx-action' with ref 'v3', not a pinned commit hash

Check warning on line 37 in .github/workflows/docker.yml

See this annotation in the file changed.

@github-advanced-security github-advanced-security / CodeQL

Unpinned tag for a non-immutable Action in workflow 

Unpinned 3rd party Action 'Docker' step [Uses Step: meta](1) uses 'docker/metadata-action' with ref 'v5', not a pinned commit hash

Check warning on line 47 in .github/workflows/docker.yml

See this annotation in the file changed.

@github-advanced-security github-advanced-security / CodeQL

Unpinned tag for a non-immutable Action in workflow 

Unpinned 3rd party Action 'Docker' step [Uses Step](1) uses 'docker/build-push-action' with ref 'v6', not a pinned commit hash

Check failure on line 181 in cli/src/client/board-auth.ts

See this annotation in the file changed.

@github-advanced-security github-advanced-security / CodeQL

Uncontrolled command line 

This command line depends on a [user-provided value](1).

Check failure on line 905 in cli/src/commands/client/company.ts

See this annotation in the file changed.

@github-advanced-security github-advanced-security / CodeQL

Potential file system race condition 

The file may have changed since it [was checked](1).

Check failure on line 52 in server/src/__tests__/codex-local-adapter-environment.test.ts

See this annotation in the file changed.

@github-advanced-security github-advanced-security / CodeQL

Insecure temporary file 

Insecure creation of file in [the os temp dir](1).

Check failure on line 138 in server/src/__tests__/cursor-local-adapter-environment.test.ts

See this annotation in the file changed.

@github-advanced-security github-advanced-security / CodeQL

Insecure temporary file 

Insecure creation of file in [the os temp dir](1).

Check failure on line 1644 in server/src/routes/access.ts

See this annotation in the file changed.

@github-advanced-security github-advanced-security / CodeQL

Missing rate limiting 

This route handler performs [authorization](1), but is not rate-limited.
This route handler performs [authorization](2), but is not rate-limited.

Check failure on line 1671 in server/src/routes/access.ts

See this annotation in the file changed.

@github-advanced-security github-advanced-security / CodeQL

Missing rate limiting 

This route handler performs [authorization](1), but is not rate-limited.

Check failure on line 1723 in server/src/routes/access.ts

See this annotation in the file changed.

@github-advanced-security github-advanced-security / CodeQL

Missing rate limiting 

This route handler performs [authorization](1), but is not rate-limited.

Check failure on line 1736 in server/src/routes/access.ts

See this annotation in the file changed.

@github-advanced-security github-advanced-security / CodeQL

Missing rate limiting 

This route handler performs [authorization](1), but is not rate-limited.

Check failure on line 20 in server/src/services/board-auth.ts

See this annotation in the file changed.

@github-advanced-security github-advanced-security / CodeQL

Use of password hash with insufficient computational effort 

Password from [a call to createBoardApiToken](1) is hashed insecurely.

Check failure on line 2562 in server/src/services/company-portability.ts

See this annotation in the file changed.

@github-advanced-security github-advanced-security / CodeQL

Polynomial regular expression used on uncontrolled data 

This [regular expression](1) that depends on [a user-provided value](2) may run slow on strings with many repetitions of '/'.
This [regular expression](1) that depends on [a user-provided value](3) may run slow on strings with many repetitions of '/'.
This [regular expression](1) that depends on [a user-provided value](4) may run slow on strings with many repetitions of '/'.
This [regular expression](1) that depends on [a user-provided value](5) may run slow on strings with many repetitions of '/'.

Check warning on line 181 in cli/src/client/board-auth.ts

See this annotation in the file changed.

@github-advanced-security github-advanced-security / CodeQL

Indirect uncontrolled command line 

This command depends on an unsanitized [environment variable](1).
This command depends on an unsanitized [environment variable](2).