Add CodeQL query for reflected XSS in Vercel serverless functions

[murderteeth]

Summary

• CodeQL has no built-in framework model for @vercel/node, so the standard js/reflected-xss query misses vulnerabilities in api/ serverless handlers. This adds a custom CodeQL query with inline Vercel framework models that detects reflected XSS specifically.
• Upgrades CI workflow: actions/checkout and codeql-action to v4, enables security-extended query suite, and runs the custom query pack alongside standard queries.
• Other vulnerability types (SSRF, SQLi, command injection, etc.) in Vercel handlers are not covered by this change — that requires either duplicating the model into additional query files or contributing the model upstream to github/codeql.

What the custom model teaches CodeQL

Concept	What it recognizes
Route handler	Functions with a VercelRequest-typed first parameter
Request sources	req.query, req.body, req.headers, req.cookies
Response sinks	res.send(), res.status().send()
Headers	res.setHeader() (used to determine content-type for XSS relevance)

Test plan

• Verify CodeQL workflow runs successfully on this PR
• Confirm the custom query detects the reflected XSS in api/vault/meta.ts
• Confirm security-extended suite runs without regressions

🤖 Generated with Claude Code

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
yearnfi	Ready	Preview, Comment	Mar 30, 2026 5:59am

[github-actions]

Dependency Review

The following issues were found:

• ✅ 0 vulnerable package(s)
• ✅ 0 package(s) with incompatible licenses
• ✅ 0 package(s) with invalid SPDX license definitions
• ⚠️ 4 package(s) with unknown licenses.

See the Details below.

Snapshot Warnings

⚠️: No snapshots were found for the head SHA 335d730.

Ensure that dependencies are being submitted on PR branches and consider enabling retry-on-snapshot-warnings. See the documentation for more information and troubleshooting advice.

License Issues

.github/workflows/codeql.yml

Package	Version	License	Issue Type
actions/checkout	4.*.*	Null	Unknown License
github/codeql-action/analyze	4.*.*	Null	Unknown License
github/codeql-action/autobuild	4.*.*	Null	Unknown License
github/codeql-action/init	4.*.*	Null	Unknown License

Allowed Licenses:

MIT, Apache-2.0, BSD-3-Clause, BSD-2-Clause, ISC, CC0-1.0, CC-BY-3.0, CC-BY-4.0, Unlicense

OpenSSF Scorecard

Package	Version	Score	Details
actions/actions/checkout	4.*.*	🟢 6	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Maintained ⚠️ 2 3 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 2 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Binary-Artifacts 🟢 10 no binaries found in the repo CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions License 🟢 10 license file detected Fuzzing ⚠️ 0 project is not fuzzed Packaging ⚠️ -1 packaging workflow not detected Signed-Releases ⚠️ -1 no releases found Pinned-Dependencies 🟢 3 dependency not pinned by hash detected -- score normalized to 3 Security-Policy 🟢 9 security policy file detected Branch-Protection 🟢 6 branch protection is not maximal on development and all release branches SAST 🟢 8 SAST tool detected but not run on all commits
actions/github/codeql-action/analyze	4.*.*	Unknown	Unknown
actions/github/codeql-action/autobuild	4.*.*	Unknown	Unknown
actions/github/codeql-action/init	4.*.*	Unknown	Unknown

Scanned Files

• .github/workflows/codeql.yml