OSS Security Knowledge Base

Ran a public-information-only review pass across one lingering Rust seed page and two npm comparison candidates using an OSV API package query, RustSec advisory search, crates.io metadata, upstream README / repository security-policy checks, and the required local Claude-compatible proxy at `http://127.0.0.1:8319`, with evidence saved under `raw/advisory-review-20260420-0637/`. `serde` was the only substantive update from this pass, so its page was upgraded from a thin seed stub into a conservative baseline page that explicitly records the absence of a direct package-scoped OSV / RustSec advisory in this review window, separates core `serde` from related `serde_*` crate advisories, and notes the lack of a confirmed repository-level `SECURITY.md` without turning that documentation gap into a vulnerability claim. `express-session` and `cors` were re-screened as comparison candidates, but the public package-scoped evidence reviewed here still did not justify stronger changes than the current baseline pages already carry. The proxy synthesis step succeeded and was used only as a drafting aid; final `serde` edits were checked back against the saved public evidence before landing.

Ran a public-information-only review pass across one clean Go web-framework gap and two comparison candidates using an OSV package query, detailed OSV vulnerability records, public GHSA / Go vulnerability aliases, upstream GitHub release notes, upstream `CHANGELOG.md`, and upstream `SECURITY.md`, with evidence saved under `raw/advisory-review-20260420-023819/echo-v4/`. `github.com/labstack/echo/v4` was the only substantive update from this pass, so a new advisory-mapped page now captures its two currently published package records: the Windows-only static-handler directory traversal issue fixed in `4.2.0` and the static-handler open redirect fixed in `4.9.0`, while also preserving current upstream support-policy context for maintained `v4` and `v5` lines. `django` and `github.com/gorilla/mux` were re-screened as comparison candidates in this maintenance window, but no page changes were forced because Django still needs a larger advisory-normalization pass and `gorilla/mux` still did not justify a confident package page from the compact public evidence reviewed here. The required local Claude-compatible proxy synthesis step succeeded via `http://127.0.0.1:8319` and was used only as a drafting aid; final Echo edits were checked back against the saved public evidence bundle before landing.

Ran a public-information-only review pass across three high-usage npm middleware gaps using OSV package queries, authenticated GitHub Advisory Database API queries, npm registry metadata, the npm downloads API, upstream changelog / history material, and the required local Claude-compatible proxy at `http://127.0.0.1:8319`, with evidence saved under `raw/advisory-review-20260419-223816/`. All three candidates turned into conservative additive baseline pages rather than forced advisory-heavy summaries: `cookie-parser` remains a no-direct-advisory package in this pass but now captures evidence-backed dependency context around the `cookie@0.7.x` hardening line; `cors` now records that no package-scoped GHSA / OSV record was confirmed and explicitly frames its main risk boundary as downstream policy configuration; and `helmet` now records the same no-direct-advisory result while preserving the useful positive signal from its published `SECURITY.md` disclosure path. The proxy synthesis step succeeded and was used only as a drafting aid; final page content was checked back against the saved public evidence bundle before landing.

Ran a public-information-only review pass against one high-usage npm session-management gap using npm registry metadata, the npm downloads API, an OSV package query, upstream GitHub release metadata, upstream `HISTORY.md`, and spot-checks of public GHSA / CVE pages collected under `raw/advisory-review-20260419-143837/`. This pass added a conservative new baseline page for `express-session` rather than forcing an advisory-heavy summary: the page explicitly records that no clean package-scoped OSV / GHSA record was confirmed in this window, preserves the upstream `1.5.2` note about the `cookie-signature@1.0.4` timing-attack fix, and captures the package's important deployment-boundary cautions around session stores, cookie settings, and proxy trust without presenting misconfiguration as a package CVE. The required local Claude-compatible proxy synthesis step succeeded via `http://127.0.0.1:8319` and was used only as a drafting aid; final page content was checked back against the saved public evidence bundle before landing.

Ran a public-information-only review pass across four npm cookie / HTTP-client-adjacent packages using OSV package queries, GitHub Advisory Database records, public CVE aliases, upstream issue / commit / release references, npm registry metadata, and the npm downloads API collected under `raw/advisory-review-20260418-223817/`. `tough-cookie`, `form-data`, and `cookie-signature` were all clean substantive additions from this pass, so new advisory-mapped pages now capture `tough-cookie`'s two older parser-ReDoS fixes plus the later `4.1.3` prototype-pollution repair, `form-data`'s 2025 predictable multipart-boundary fix across the maintained `2.x`, `3.x`, and `4.x` lines, and `cookie-signature`'s historical timing-attack fix in `1.0.4`. `mime` was screened as a comparison candidate in the same pass and its public advisory trail was gathered, but no page was forced this round because the maintenance window was spent on the three higher-leverage additions above. The required local Claude-compatible proxy synthesis step succeeded via `http://127.0.0.1:8319` and was used only as a drafting aid; final page content was checked back against the saved public advisory, commit, and release evidence before landing.

Ran a public-information-only review pass across one high-value Python templating gap and two comparison candidates using OSV package queries, public GHSA / CVE aliases, PyPA advisory aliases, upstream changelog and release-note entries, PyPI metadata, and pypistats download data. `jinja2` was the only clean substantive update from this pass, so a new advisory-mapped page now captures its 10 normalized published vulnerabilities across the 2014 cache-directory issues, repeated sandbox-breakout fix trains, the 2020 `urlize` ReDoS, the 2024 `xmlattr` follow-on hardening sequence, and the 2025 `|attr` sandbox bypass fixed in `3.1.6`. `django` and `github.com/gorilla/mux` were screened as comparison candidates in the same pass, but no page changes were forced here because Django's package history is much larger than this maintenance window allowed and `gorilla/mux` again did not surface package-scoped OSV records. The required local Claude-compatible proxy synthesis step succeeded via `http://127.0.0.1:8319` and was used only as a drafting aid; final `jinja2` edits were checked back against the public advisory and changelog evidence before landing.

Ran a public-information-only review pass across one high-value Python framework gap and two comparison candidates using OSV package queries, public GHSA / CVE aliases, upstream changelog / release notes, PyPI metadata, and pypistats download data collected under `raw/advisory-review-20260418-143837/`. `flask` was the only clean substantive update from this pass, so a new advisory-mapped page now captures its five currently published package records across the older crafted-JSON / memory-usage denial-of-service issues, the 2023 cache-mediated session-cookie disclosure fixed in `2.2.5` / `2.3.2`, the 2025 fallback-key signing-order regression fixed in `3.1.1`, and the 2026 `Vary: Cookie` follow-on fix in `3.1.3`. `github.com/labstack/echo/v4` and `express-session` were screened as comparison candidates in the same pass, but no page changes were forced here because Echo still deserves a dedicated Go-specific normalization pass and `express-session` again did not surface package-scoped OSV records in this window. The required local Claude-compatible proxy synthesis step succeeded via `http://127.0.0.1:8319` and was used only as a drafting aid; final `flask` edits were checked back against the saved public evidence bundle before landing.

Ran a public-information-only review pass across one high-usage npm upload-middleware gap and two comparison candidates using OSV package queries, GitHub Advisory Database records, public CVE aliases, upstream GitHub security advisories, upstream release notes / changelog, npm registry metadata, and the npm downloads API collected under `raw/advisory-review-20260418-1037/`. `multer` was the only clean substantive update from this pass, so a new advisory-mapped page now captures its seven currently published high-severity denial-of-service records across the 2025-2026 fix train from `2.0.0` through `2.1.1`, including the stream-leak, malformed-request, resource-exhaustion, cleanup, and uncontrolled-recursion fixes explicitly called out in upstream releases. `flask` and `github.com/labstack/echo/v4` were reviewed as comparison candidates in the same pass, but they still need dedicated advisory-by-advisory normalization passes rather than a rushed mixed-ecosystem summary. The required local Claude-compatible proxy synthesis step succeeded via `http://127.0.0.1:8319` and was used only as a drafting aid; final `multer` edits were checked back against the saved public evidence bundle before landing.