security(deps): lockfile bumps clearing open Cargo advisories (Track E)

[hyperpolymath]

Lockfile-only (cargo update -p; Cargo.toml untouched), same recipe as 007 #44:

crate	bump	clears
openssl	0.10.76 → 0.10.80	GHSA-8c75/ghm9/hppc/phqj/pqf5/xmgf/xp3w/xv59
rand	0.9.2 → 0.9.3	RUSTSEC-2026-0097
thin-vec	0.2.14 → 0.2.16	RUSTSEC-2026-0103

Clears the live Dependabot Rust advisories on this repo (docmatrix#21, panic-attack Track E). Cargo.lock shows as a binary diff (repo .gitattributes), but the only change is these three version bumps (+ openssl-sys 0.9.112→0.9.117).

Residual RUSTSEC unmaintained-crate advisories (ansi_term/yaml-rust/bincode/rustls-pemfile) are not vulnerabilities and need dep removal/replacement separately — out of scope for this lockfile bump.

Signed; security PR → manual review (no auto-merge).

🤖 Generated with Claude Code

[github-actions]

🔍 Hypatia Security Scan

Findings: 40 issues detected

Severity	Count
🔴 Critical	2
🟠 High	29
🟡 Medium	9

⚠️ Action Required: Critical security issues found!

View findings

[
  {
    "reason": "No test directory or test files found",
    "type": "no_tests",
    "file": "/home/runner/work/docmatrix/docmatrix",
    "action": "flag",
    "rule_module": "honest_completion",
    "severity": "high",
    "deduction": 20
  },
  {
    "reason": "codeql.yml lists `language: javascript-typescript` but the repo has no source files in any CodeQL-scannable language. The analyze job will exit 'no source files' on every run. Switch the matrix to `actions` (which scans workflow files — every repo has those).",
    "type": "codeql_language_matrix_mismatch",
    "file": "codeql.yml",
    "action": "switch_codeql_matrix_to_actions",
    "rule_module": "workflow_audit",
    "severity": "high"
  },
  {
    "reason": "Issue in scorecard-enforcer.yml",
    "type": "scorecard_publish_with_run_step",
    "file": "scorecard-enforcer.yml",
    "action": "split_scorecard_publish_job",
    "rule_module": "workflow_audit",
    "severity": "high"
  },
  {
    "reason": "Issue in instant-sync.yml",
    "type": "secret_action_without_presence_gate",
    "file": "instant-sync.yml",
    "action": "peter-evans/repository-dispatch",
    "rule_module": "workflow_audit",
    "severity": "high"
  },
  {
    "reason": "Issue in mirror.yml",
    "type": "secret_action_without_presence_gate",
    "file": "mirror.yml",
    "action": "webfactory/ssh-agent",
    "rule_module": "workflow_audit",
    "severity": "high"
  },
  {
    "reason": "Issue in mirror.yml",
    "type": "secret_action_without_presence_gate",
    "file": "mirror.yml",
    "action": "webfactory/ssh-agent",
    "rule_module": "workflow_audit",
    "severity": "high"
  },
  {
    "reason": "Issue in mirror.yml",
    "type": "secret_action_without_presence_gate",
    "file": "mirror.yml",
    "action": "webfactory/ssh-agent",
    "rule_module": "workflow_audit",
    "severity": "high"
  },
  {
    "reason": "Issue in mirror.yml",
    "type": "secret_action_without_presence_gate",
    "file": "mirror.yml",
    "action": "webfactory/ssh-agent",
    "rule_module": "workflow_audit",
    "severity": "high"
  },
  {
    "reason": "Issue in mirror.yml",
    "type": "secret_action_without_presence_gate",
    "file": "mirror.yml",
    "action": "webfactory/ssh-agent",
    "rule_module": "workflow_audit",
    "severity": "high"
  },
  {
    "reason": "Issue in mirror.yml",
    "type": "secret_action_without_presence_gate",
    "file": "mirror.yml",
    "action": "webfactory/ssh-agent",
    "rule_module": "workflow_audit",
    "severity": "high"
  }
]

Powered by Hypatia Neurosymbolic CI/CD Intelligence