v3.14.0
- VG1088: vite < 5.4.9 (and bundled launch-editor < 2.9.0) dev-server command injection on Windows (CVE-2024-52011) — surfaced by daily intel, drafted via the scaffold pipeline
- Exact-pin only (0-FP: caret/tilde resolve to the fix); validated on the corpus with 1 true positive and 0 false positives
- 442 rules / 37 tools; gate green (PASS/A/0)