First honest dependency-scan run (dispatch 27304208837) detected the vendored fluidsynth copy at engine/src/libs/fluidsynth (git-hash match) with two known vulnerabilities:
- CVE-2021-21417 - fluidsynth use-after-free in SoundFont loading
- CVE-2025-56225
Context: fluidsynth is an optional feature (LEGENDS_ENABLE_FLUIDSYNTH); the vendored sources sit in-tree regardless of whether they compile into a given build. Exposure depends on builds that enable it and load untrusted SoundFont files.
Both CVEs are baselined in osv-scanner.toml (ignore entries reference this issue) so the dependency-scan gate enforces against new findings.
Exit criterion: upgrade or patch the vendored fluidsynth past both CVEs (or remove/replace the vendored copy), then delete the two ignore entries from osv-scanner.toml in the same PR.
Context: openspec change ci-stabilize-mandatory-lanes design D5; CI-THESIS.md R1.
First honest dependency-scan run (dispatch 27304208837) detected the vendored fluidsynth copy at
engine/src/libs/fluidsynth(git-hash match) with two known vulnerabilities:Context: fluidsynth is an optional feature (
LEGENDS_ENABLE_FLUIDSYNTH); the vendored sources sit in-tree regardless of whether they compile into a given build. Exposure depends on builds that enable it and load untrusted SoundFont files.Both CVEs are baselined in
osv-scanner.toml(ignore entries reference this issue) so the dependency-scan gate enforces against new findings.Exit criterion: upgrade or patch the vendored fluidsynth past both CVEs (or remove/replace the vendored copy), then delete the two ignore entries from
osv-scanner.tomlin the same PR.Context: openspec change ci-stabilize-mandatory-lanes design D5; CI-THESIS.md R1.