fix(security): fix osv-scanner.toml ignoreUntil format + add GHSA-r7w7-9xr2-qq2r suppression (ENG-14837) (#29)

- Fix 4 quoted RFC3339 ignoreUntil dates to unquoted TOML local date format
- Add suppression for GHSA-r7w7-9xr2-qq2r (langchain-openai LOW, no 0.3.x fix)
- All langchain vulnerabilities blocked by 0.3.x -> 1.x migration constraint

Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: andriy-sudo

osv-scanner.toml

@@ -1,19 +1,24 @@
 [[IgnoredVulns]]
 id = "GHSA-fv5p-p927-qmxr"
-ignoreUntil = "2026-07-24T00:00:00Z"
+ignoreUntil = 2026-07-24
 reason = "langchain-text-splitters SSRF redirect bypass in HTMLHeaderTextSplitter.split_text_from_url (MEDIUM). Fix requires langchain-text-splitters>=1.1.2 which requires langchain-core>=1.2.31 — a breaking major change. langchain-community 0.3.x hard-constrains langchain-core<1.0.0, making a semver-compatible upgrade impossible. HTMLHeaderTextSplitter is not used by langchain-agentql. Related: ENG-14677."
 
 [[IgnoredVulns]]
 id = "GHSA-2g6r-c272-w58r"
-ignoreUntil = "2026-06-15T00:00:00Z"
+ignoreUntil = 2026-06-15
 reason = "langchain-core SSRF via image_url token counting (LOW). Fix requires upgrading langchain-core 0.3.x -> 1.2.11, a breaking major version change incompatible with our ^0.3.15 constraint. No semver-compatible fix available."
 
 [[IgnoredVulns]]
 id = "GHSA-qh6h-p6c9-ff54"
-ignoreUntil = "2026-07-16T00:00:00Z"
+ignoreUntil = 2026-07-16
 reason = "langchain-core path traversal in load_prompt/load_prompt_from_config (HIGH, CVE-2026-34070). Fix requires upgrading langchain-core 0.3.x -> 1.2.22, a breaking major version change. langchain-community 0.3.x hard-constrains langchain-core<1.0.0, making a semver-compatible upgrade impossible without also migrating langchain-community to a stable 1.x release (currently only alpha). No fix available in the 0.3.x line."
 
 [[IgnoredVulns]]
 id = "GHSA-6w46-j5rx-g56g"
-ignoreUntil = "2026-07-16T00:00:00Z"
+ignoreUntil = 2026-07-16
 reason = "pytest tmpdir privilege escalation (CVE-2025-71176, MEDIUM). Fix requires pytest>=9.0.3, but langchain-tests<=0.3.x pins pytest<9. Upgrading langchain-tests to 1.x would require a full langchain ecosystem migration (langchain-core 0.3->1.x, langchain-community 0.3->1.x). Affects test execution only — no production exposure. ENG-14433."
+
+[[IgnoredVulns]]
+id = "GHSA-r7w7-9xr2-qq2r"
+ignoreUntil = 2026-07-27
+reason = "langchain-openai prompt injection via tool result injection (LOW). Fix requires langchain-openai>=0.4.4 which requires langchain-core>=1.3.1 — a breaking major change. langchain-community 0.3.x hard-constrains langchain-core<1.0.0, making a semver-compatible upgrade impossible. ENG-14837."