fix(deps): remediate security alerts

[saagpatel]

What

• Updates vulnerable Rust lockfile entries for openssl and direct/runtime rand versions.
• Adds OSV scanner rationale files for dependency-tooling alerts that are not production runtime exposure.

Why

• AssistSupport is one of the current GitHubRepoAuditor Security Review follow-ups, with open OSV dependency alerts on master.
• The goal is to reduce real dependency risk while keeping unavoidable scanner exceptions explicit and reviewable.

How

• openssl moves from 0.10.75 to 0.10.78 through the lockfile, pulling the matching openssl-sys update.
• Runtime/direct rand resolutions move to fixed 0.8.6 and 0.9.3 releases.
• Remaining rand 0.7.3 is documented as a Tauri build-time transitive dependency through tauri-utils/selectors/phf, and uuid 8.3.2 is documented as a dev-only Lighthouse CI CLI dependency.

Testing

• cargo test --manifest-path src-tauri/Cargo.toml passed in an isolated checkout after creating a temporary untracked dist/ directory required by Tauri's context macro.
• osv-scanner was not installed locally, so the PR workflow remains the scan authority.

Performance Impact

• None expected for application runtime beyond patched dependency resolution.

Risk / Notes

• The OSV ignore entries should be reviewed as policy decisions, especially the dev-only LHCI uuid alert and the Tauri build-time rand 0.7.3 path.
• Local /Users/d/Projects/AssistSupport was not modified; it has unrelated dirty files and is behind origin/master.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 71a69ac009

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Clear the pnpm audit advisory instead of only OSV

This ignore only affects OSV-Scanner, but the blocking CI security job still runs pnpm audit --audit-level high without --prod or --ignore in .github/workflows/ci.yml, and pnpm audit --help shows --prod is the option that restricts auditing to production dependencies. Because package.json still includes Lighthouse as a dev dependency and pnpm-lock.yaml still resolves its @lhci/cli path to uuid: 8.3.2, the high-severity GHSA-w5hq-g745-h8pq alert will continue to fail that gate even though OSV is suppressed here.

Useful? React with 👍 / 👎.