Daily Org Oversight Report — 2026-05-11 (UTC)

[fro-bot]

Snapshot: 2026-05-11 03:59 UTC. Scope: fro-bot/{agent, .github, systematic, fro-bot.github.io} (tokentoilet archived).

Summary metrics

Metric	Count	Δ vs. 2026-05-10
New issues (<24h)	1	0
Open PRs	8	0
Aging PRs (>7d, ≤14d)	0	−1
Stale PRs (>14d)	1	+1
Stale issues (>30d)	2	0
Failing default-branch checks	0	0
Dependabot alerts (open)	5 (all agent)	0
Code-scanning alerts (open, high)	2 (agent) + 1 (.github)	0
Unassigned bugs (label:bug)	0	0

Critical items

Repo	Severity	Item	Recommended action
fro-bot/agent	high	fast-uri host confusion (Dependabot #71)	Day 2 unresolved — bump or override the transitive fast-uri pin directly; Renovate hasn't surfaced it on its own.
fro-bot/agent	high	fast-uri path traversal (Dependabot #70)	Bundle with #71.
fro-bot/agent	high	fast-xml-builder attribute-quote bypass (Dependabot #69)	Confirm transitive chain via bun pm ls; pin if no upstream patch lands.
fro-bot/agent	medium	fast-xml-builder comment-regex bypass (Dependabot #68)	Bundle with #69.
fro-bot/agent	medium	ip-address XSS in Address6 HTML methods (Dependabot #67)	Bump ip-address. No consumer renders Address6 HTML, so risk is latent but the alert remains.
fro-bot/agent	high (Scorecard)	BranchProtectionID, VulnerabilitiesID	Tighten main protection through common-settings.yaml; the Vulnerabilities finding clears once the Dependabot block above lands.
fro-bot/.github	high (Scorecard)	BranchProtectionID	Mirror agent's protection ruleset here.

No failing default-branch CI runs (last 24h agent/main and .github/main workflows green or skipped). No broken release pipelines.

Aging PRs

PR	Idle	Note
fro-bot/systematic#2 — feat(deps): configure Renovate	15d	Crossed the stale threshold today. Land it or close — a Renovate config PR going stale in a Renovate-publishing repo is the kind of irony nobody wants.

The seven open PRs in fro-bot/agent are all Renovate/automerge-tagged or recently opened (#605 wiki update opened yesterday, #602 from @marcusrbrown opened 2d). None has crossed the 7d aging line — they're cycling normally.

Stale issues

Issue	Idle	Recommended next step
fro-bot/systematic#1 — Enable code scanning (CodeQL / Scorecard)	63d	Repo's default branch is gh-pages (static docs). No buildable code surface for CodeQL. Close as wontfix or scope down to Scorecard-only.
fro-bot/fro-bot.github.io#1 — Enable code scanning (CodeQL / Scorecard)	63d	Static-site repo; same shape as above. Close with the same rationale.

The 42 daily [YYYY-MM-DD] Fro Bot operational log / Daily Org Oversight Report / Daily Autohealing Report issues in fro-bot/.github are inside their automation lifecycle and excluded from the stale count.

Unassigned bugs / high-signal issues

label:bug + no:assignee across the org: 0. Nothing to triage.

Repo hotspots

Rank	Repo	Open PRs	Stale items	Notes
1	fro-bot/agent	7	0	All Renovate or recently opened. Backlog moves but the fast-uri/fast-xml-builder security chain hasn't been resolved in 2 cycles.
2	fro-bot/systematic	1	1	Same two items as yesterday, both now older. Dormancy is hardening.
3	fro-bot/fro-bot.github.io	0	1	Single stale issue; placeholder repo.

Recommended actions

• Escalate the fast-uri / fast-xml-builder / ip-address Dependabot block on fro-bot/agent — these are entering their second day open. Manual transitive pin if Renovate doesn't surface them this cycle.
• Tighten main branch protection on fro-bot/agent and fro-bot/.github via common-settings.yaml to clear the Scorecard BranchProtectionID highs.
• Resolve fro-bot/systematic#2 (Renovate config) — now officially stale at 15d.
• Close or rescope fro-bot/systematic#1 and fro-bot/fro-bot.github.io#1 (CodeQL on non-buildable repos).
• No action needed on the operational-log issue stream — lifecycle is automation-driven.

[fro-bot]

Auto-closed: daily report retention policy (3 days). Superseded by newer reports.