You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
No PR has merged into main since 2026-06-16 (#66/#68/#69/#71). Since then, an automated review/fix routine has kept running on the same unmerged baseline and has opened 56 open PRs (is:pr is:open → total_count: 56) plus several open issues — most from claude/nice-mendel-* branches, one per run. Because the baseline never moves, each run rediscovers the same gaps and opens a new PR for them instead of finding the previous fix already proposed. The result is heavy duplication and a backlog nobody is triaging:
Separately, three Dependabot PRs (#78, #80, #96) are sitting unmerged with no apparent conflicts.
I checked commit status on two of the highest-value PRs (#98 — fixes the broken npm publish pipeline, and #99 — SSRF hardening) and both show state: pending with total_count: 0 — i.e. no CI check results are attached at all, which is itself worth a maintainer look (either CI isn't running on these branches, or the status API isn't surfacing check-runs).
Why this is high-leverage right now
The repo's automated review/fix routine is doing its job (finding real bugs — SSRF, broken releases, CSP gaps) but the output is being generated faster than it's consumed. Left alone, the backlog and duplication will keep compounding every run.
Prevent recurrence: if the automated routine that opens these PRs/issues can search existing open PRs/issues touching the same file or topic before filing a new one, it would stop re-proposing fixes that are already sitting in the queue.
Scope
No source changes proposed here — this is a repo-hygiene/triage issue covering .github PR backlog across the branches/PRs listed above.
Problem
No PR has merged into
mainsince 2026-06-16 (#66/#68/#69/#71). Since then, an automated review/fix routine has kept running on the same unmerged baseline and has opened 56 open PRs (is:pr is:open→total_count: 56) plus several open issues — most fromclaude/nice-mendel-*branches, one per run. Because the baseline never moves, each run rediscovers the same gaps and opens a new PR for them instead of finding the previous fix already proposed. The result is heavy duplication and a backlog nobody is triaging:Duplicate clusters (same underlying fix, proposed multiple times):
object-src/sensitive directives: fix(csp): flag object-src wildcard as a high-risk misconfiguration #52, fix(csp): flag scheme-only sources (https:, data:) as permissive in sensitive CSP directives #58, fix(csp): flag wildcard object-src as a security risk #59, fix(csp): detect scheme-only sources (e.g. https:) as permissive in sensitive directives #64, fix(csp): detect scheme-only permissive sources (e.g. https:) in CSP directives #67, fix(csp): flag wildcard and bare-scheme sources in object-src #84, CSP: flag policies missing both default-src and object-src #97 (7 PRs) — note the general bare-scheme case was already fixed and merged in fix(csp): flag bare-scheme sources (e.g. https:) as permissive in CSP directives #68 on 2026-06-16, so several of these may now be partially/fully redundant.--timeoutCLI arg validation (prevent silentNaN/immediate-abort): fix: validate --timeout CLI arg to prevent silent NaN abort #61, fix: --timeout NaN causes immediate request abort #77, fix(cli): validate URL and --timeout before fetching #82, fix(cli): validate --timeout value instead of silently coercing to NaN #100 (4 PRs).--min-grade/--fail-on): feat(cli): add --min-grade flag for configurable CI exit threshold #55, feat(cli): add --fail-on flag to make the CI gate threshold configurable #56, feat(cli): add --fail-on grade option for configurable CI gate threshold #73, Add --min-grade flag for configurable CI gate threshold #74 (4 PRs).fetchHeaders: fix(security): block SSRF in fetchHeaders — reject private/internal targets #92, fix: add SSRF protections to fetchHeaders #99 (2 PRs, both address issue fetchHeaders has no SSRF protection — arbitrary/internal URLs are fetched unchecked #91).Separately, three Dependabot PRs (#78, #80, #96) are sitting unmerged with no apparent conflicts.
I checked commit status on two of the highest-value PRs (#98 — fixes the broken npm publish pipeline, and #99 — SSRF hardening) and both show
state: pendingwithtotal_count: 0— i.e. no CI check results are attached at all, which is itself worth a maintainer look (either CI isn't running on these branches, or the status API isn't surfacing check-runs).Why this is high-leverage right now
Proposed action
pending/total_count: 0status on ci: fix npm publish never firing after automated release tags #98 and fix: add SSRF protections to fetchHeaders #99 suggests checks may not be attached; worth a quick look before merging anything.Scope
No source changes proposed here — this is a repo-hygiene/triage issue covering
.githubPR backlog across the branches/PRs listed above.