:rotating_light: Policy Compliance Violation — Action Required

[jeff-at-trimble]

🚨 Policy Compliance Violation

This public repository has been found in violation of the Open and Inner Source Publication Policies and Procedures.

Findings

Severity	Category	Finding
🔴 MUST	Security	0 critical and 3 high open Dependabot vulnerabilities (must be zero)

Timeline

• Grace period: 30 days from the date of this issue
• If not resolved: This repository will be delisted (public → internal)
• Need more time? Add the delist-deferred label to this issue for a one-time 14-day extension
• If resolved after delisting: Visibility will be automatically restored to public once all MUST violations are cleared

How to fix

Open this repo in VS Code with GitHub Copilot enabled, then run the oss-compliance reusable prompt — it will walk you through every required change.

For more details, see the oss-overseer repo and the latest audit report.

---

This issue was automatically created by oss-overseer.

[jeff-at-trimble]

🔍 Compliance Re-check

Thanks for working on this! A re-check was triggered and found the following outstanding violations:

Severity	Category	Finding
🔴 MUST	Security	0 critical and 3 high open Dependabot vulnerabilities (must be zero)
🟡 SHOULD	Security	4 medium and 2 low open Dependabot vulnerabilities

Vulnerability details (9 alerts)

• libcrux-sha3 (high) — GHSA-q29p-9pfr-j652 — Cargo.lock
• aws-lc-sys (high) — GHSA-9f94-5g5w-gf6r — Cargo.lock
• aws-lc-sys (high) — GHSA-394x-vwmw-crm3 — Cargo.lock
• Pygments (low) — GHSA-5239-wwwm-4pmq — uv.lock
• requests (medium) — GHSA-gc5v-m9x4-r6x2 — uv.lock
• rustls-webpki (medium) — GHSA-pwjx-qhcg-rvj4 — Cargo.lock
• tar (medium) — GHSA-gchp-q4r4-x4ff — Cargo.lock
• tar (medium) — GHSA-j4xf-2g29-59ph — Cargo.lock
• lru (low) — GHSA-rhfx-m35p-ff5j — Cargo.lock

Please resolve the remaining items. This issue will be automatically closed once all MUST violations are cleared.

---

Re-check performed by oss-overseer.

[trimble-oss-overseer]

🔍 Compliance Re-check

Thanks for working on this! A re-check was triggered and found the following outstanding violations:

Severity	Category	Finding
🔴 MUST	Security	0 critical and 3 high open Dependabot vulnerabilities (must be zero)
🟡 SHOULD	Security	4 medium and 2 low open Dependabot vulnerabilities

Vulnerability details (9 alerts)

• libcrux-sha3 (high) — GHSA-q29p-9pfr-j652 — Cargo.lock
• aws-lc-sys (high) — GHSA-9f94-5g5w-gf6r — Cargo.lock
• aws-lc-sys (high) — GHSA-394x-vwmw-crm3 — Cargo.lock
• Pygments (low) — GHSA-5239-wwwm-4pmq — uv.lock
• requests (medium) — GHSA-gc5v-m9x4-r6x2 — uv.lock
• rustls-webpki (medium) — GHSA-pwjx-qhcg-rvj4 — Cargo.lock
• tar (medium) — GHSA-gchp-q4r4-x4ff — Cargo.lock
• tar (medium) — GHSA-j4xf-2g29-59ph — Cargo.lock
• lru (low) — GHSA-rhfx-m35p-ff5j — Cargo.lock

Please resolve the remaining items. This issue will be automatically closed once all MUST violations are cleared.

---

Re-check performed by oss-overseer.