GitHub Security Triage Exposes Critical CVEs, Prototype Pollution, and 142 Dismissed CodeQL Alerts

A comprehensive security triage of the openzigs repository has exposed a critical vulnerability landscape, revealing a mix of high-severity CVEs, a prototype pollution flaw, and the mass dismissal of over 140 automated security warnings. The audit, conducted in March 2026, identified 7 actionable Dependabot alerts and 142 CodeQL alerts, forcing a stark categorization into must-fix, should-fix, and deferred issues.

The most pressing threats include a HIGH-severity vulnerability in `@github/copilot` (CVE-2026-29783) related to shell expansion, requiring an immediate dependency upgrade. Four additional alerts target the `picomatch` library for ReDoS and method injection flaws (CVE-2026-33671/33672), also rated HIGH and MEDIUM. A separate MEDIUM-severity finding points to a prototype pollution vulnerability within the admin API, necessitating a direct code fix. In a significant parallel action, all 142 CodeQL alerts were marked for dismissal, classified as false positives or acceptable risks.

The triage process reveals a structured but pressured response. The dependency graph shows fixes for the critical `@github/copilot` and `picomatch` CVEs as prerequisites before the mass CodeQL dismissal can proceed. Meanwhile, two alerts concerning an Electron ASAR integrity bypass (CVE-2025-55305) have been deferred to a future desktop release, indicating a calculated risk acceptance. This snapshot highlights the intense trade-offs between immediate remediation of known exploits and the resource allocation required to sift through automated security noise.