CVE-2025-66293: Document affected versions and patch workflow-tests

[Copilot]

CVE-2025-66293 is an out-of-bounds read in libpng < 1.6.52. Main repo was already patched (1.6.54 since Jan 2026), but workflow-tests remained vulnerable and no historical analysis existed.

Historical Impact Analysis

Traced git history to identify affected periods:

Development environment (pixi.lock):

• Jun 2025 - Nov 2025: libpng 1.6.47 (commits 37f5d14 to fcd9069)
• Nov 2025 - Jan 2026: libpng 1.6.50 (commits cf0f5a8 to ee11f38)
• Jan 2026+: libpng 1.6.54 ✓

Workflow tests (workflow-tests/test-extension/pixi.lock):

• Sep 2025 - Feb 2026: libpng 1.6.50 (commit adbd584 onwards)
• Feb 2026+: libpng 1.6.54 ✓ (this PR)

Changes

• SECURITY-ADVISORY-CVE-2025-66293.md: Timeline of affected versions, risk assessment, remediation steps
• workflow-tests/test-extension/: Updated libpng 1.6.50 → 1.6.54, added libpng >= 1.6.52 constraint
• README.md: Added security section reference

Risk Profile

High: Processing untrusted PNG files
Medium: Dev/test environments with trusted input
Low: No PNG processing

Developers who cloned Jun 2025 - Feb 2026 should rebuild environments: pixi clean && pixi install

---

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud