Summary Metrics
| Metric |
Count |
| Repos scanned |
4 (agent, .github, systematic, fro-bot.github.io) |
| Total open issues (org-wide) |
34 |
| Total open PRs (org-wide) |
8 |
| New issues (last 24h) |
6 (all .github — operational/autohealing logs) |
| Stale issues (>30 days) |
2 |
| Stale PRs (>14 days) |
1 (systematic #2 hit 14-day threshold) |
| PRs with failing CI |
0 |
| Main branch failures |
0 |
| Dependabot alerts |
7 (up from 1) — agent: 5, .github: 2 |
| Code scanning alerts |
9 (agent: 4, .github: 5) |
Critical Items
Security alert volume increased sharply overnight — 6 new alerts across 2 repos.
| Repo |
Item |
Severity |
Recommended Action |
agent |
NEW Dependabot #71 — fast-uri host confusion via percent-encoded authority delimiters |
High |
Update fast-uri to patched version |
agent |
NEW Dependabot #70 — fast-uri path traversal via percent-encoded dot segments |
High |
Update fast-uri to patched version |
agent |
NEW Dependabot #69 — fast-xml-builder attribute quote bypass |
High |
Update fast-xml-builder |
agent |
NEW Dependabot #68 — fast-xml-builder comment regex bypass |
Medium |
Update fast-xml-builder (same dep as #69) |
agent |
Dependabot #67 — ip-address XSS |
Medium |
Update ip-address |
.github |
NEW Dependabot #35 — fast-uri host confusion |
High |
Update fast-uri |
.github |
NEW Dependabot #34 — fast-uri path traversal |
High |
Update fast-uri |
agent |
Branch-Protection #1 — release branch lacks protection |
High |
Add branch protection rules |
.github |
Code-Review #6 — low human approval rate |
High |
Ensure PRs get review |
All default branches green. No main branch CI failures.
Open PRs by Repo
fro-bot/agent — 6 open PRs
| PR |
Title |
Age |
Labels |
CI |
| #602 |
feat: disable oMo by default, require enable-omo opt-in |
<1d |
— |
Green |
| #601 |
build(deps): update anomalyco/opencode to v1.14.41 |
4d |
automerge, patch |
Green |
| #600 |
fix(deps): update @aws-sdk/client-s3 to v3.1043.0 |
5d |
automerge, minor |
Green |
| #599 |
chore(dev): update eslint to v10.3.0 |
5d |
automerge, minor |
Green |
| #598 |
build(deps): update @opencode-ai/sdk to v1.14.39 |
5d |
automerge, patch |
Green |
| #597 |
build(deps): update @fro.bot/systematic to v2.8.0 |
5d |
automerge, minor |
Green |
fro-bot/.github — 1 open PR
| PR |
Title |
Age |
Labels |
CI |
| #3261 |
chore(dev): update jiti to v2.7.0 |
<1d |
automerge, minor |
Green |
fro-bot/systematic — 1 open PR
| PR |
Title |
Age |
Status |
| #2 |
feat(deps): configure Renovate |
14 days |
No CI — officially stale |
Aging & Stale PRs
| Repo |
PR |
Title |
Last Updated |
Status |
systematic |
#2 |
feat(deps): configure Renovate |
2026-04-25 |
14 days — stale threshold crossed. Merge or close. |
Stale Issues (>30 days, no activity)
| Repo |
Issue |
Title |
Last Updated |
Recommended Action |
systematic |
#1 |
Enable code scanning (CodeQL / Scorecard) |
2026-03-09 |
61 days stale. Implement or close. |
fro-bot.github.io |
#1 |
Enable code scanning (CodeQL / Scorecard) |
2026-03-09 |
61 days stale. Implement or close. |
Unassigned Bugs / High-Signal Issues
No issues labeled bug with no assignee found across the org.
Repo Hotspots
| Rank |
Repo |
Open Issues |
Open PRs |
Security Alerts |
Signal |
| 1 |
agent |
2 |
6 |
5 Dependabot + 4 Scorecard |
Highest urgency — 3 high-severity dep alerts, 5 green PRs aging 4-5 days |
| 2 |
.github |
30 |
1 |
2 Dependabot + 5 Scorecard |
2 new high-severity fast-uri alerts |
| 3 |
systematic |
1 |
1 |
0 |
PR #2 crossed 14-day stale threshold |
Recommended Actions
Compared to yesterday's report (#3253): Security alert escalation — Dependabot alerts jumped from 1 to 7 (4 new high-severity across fast-uri and fast-xml-builder). .github code scanning increased to 5 alerts (was 4). Marcus opened feature PR #602 on agent. systematic PR #2 crossed the 14-day stale threshold.
Run ID: 25590551901
Summary Metrics
agent,.github,systematic,fro-bot.github.io).github— operational/autohealing logs)systematic#2 hit 14-day threshold)agent: 5,.github: 2agent: 4,.github: 5)Critical Items
Security alert volume increased sharply overnight — 6 new alerts across 2 repos.
agentfast-urihost confusion via percent-encoded authority delimitersfast-urito patched versionagentfast-uripath traversal via percent-encoded dot segmentsfast-urito patched versionagentfast-xml-builderattribute quote bypassfast-xml-builderagentfast-xml-buildercomment regex bypassfast-xml-builder(same dep as #69)agentip-addressXSSip-address.githubfast-urihost confusionfast-uri.githubfast-uripath traversalfast-uriagentreleasebranch lacks protection.githubOpen PRs by Repo
fro-bot/agent— 6 open PRsanomalyco/opencodeto v1.14.41@aws-sdk/client-s3to v3.1043.0@opencode-ai/sdkto v1.14.39@fro.bot/systematicto v2.8.0fro-bot/.github— 1 open PRjitito v2.7.0fro-bot/systematic— 1 open PRAging & Stale PRs
systematicStale Issues (>30 days, no activity)
systematicfro-bot.github.ioUnassigned Bugs / High-Signal Issues
No issues labeled
bugwith no assignee found across the org.Repo Hotspots
agent.githubfast-urialertssystematicRecommended Actions
fast-uriacrossagentand.github— #70/#71 and #34/#35 are high-severity path traversal and host confusion vulnerabilities. Both repos affected.fast-xml-builderonagent— #69 (high, attribute bypass) and #68 (medium, regex bypass). One dep update resolves both.agentPR Action Required: Fix Renovate Configuration #602 — Marcus's feature PR (disable oMo by default). New functionality, needs review.agentdep PRs (Action Required: Fix Renovate Configuration #597-Action Required: Fix Renovate Configuration #601) — aging 4-5 days, all CI greensystematic#2 — 14 days stale, past thresholdsystematicandfro-bot.github.io(feat: set default settings #1 in both) — 61 days staleCompared to yesterday's report (#3253): Security alert escalation — Dependabot alerts jumped from 1 to 7 (4 new high-severity across
fast-uriandfast-xml-builder)..githubcode scanning increased to 5 alerts (was 4). Marcus opened feature PR #602 onagent.systematicPR #2 crossed the 14-day stale threshold.Run ID: 25590551901