Security: sweep 9 open CodeQL alerts on openregister

[rubenvdlinde]

Context

Surfaced during 2026-05-19 issue-sweep. While nextcloud-vue had a CodeQL pass land today (PRs #244, #247, #249 — see nextcloud-vue#250 retro tracker), openregister still has 9 open CodeQL alerts that have never been swept.

gh api repos/ConductionNL/openregister/code-scanning/alerts --jq '[.[] | select(.state=="open")] | length'
# => 9

Action

• Pull the 9 alert details
• Classify (false-positive / accept-risk / fix)
• Land fixes in one or more security PRs against development
• Confirm count → 0 before closing

Why this is non-code-work-adjacent

Each alert needs human triage on severity + appropriate fix — this is review work that doesn't fit a single PR scope.