diff --git a/.github/workflows/checks.clippy.yml b/.github/workflows/checks.clippy.yml
index 349208482..aefa93c42 100644
--- a/.github/workflows/checks.clippy.yml
+++ b/.github/workflows/checks.clippy.yml
@@ -53,6 +53,6 @@ jobs:
         run: |
           cargo clippy --all-targets --all-features --message-format=json | clippy-sarif | tee results.sarif | sarif-fmt
       - name: "Report: SARIF Upload"
-        uses: github/codeql-action/upload-sarif@dd746615b3b9d728a6a37ca2045b68ca76d4841a # v3.28.8
+        uses: github/codeql-action/upload-sarif@b56ba49b26e50535fa1e7f7db0f4f7b4bf65d80d # v3.28.10
         with:
           sarif_file: results.sarif
diff --git a/.github/workflows/checks.codeql.yml b/.github/workflows/checks.codeql.yml
index 4d48f1680..45da117aa 100644
--- a/.github/workflows/checks.codeql.yml
+++ b/.github/workflows/checks.codeql.yml
@@ -101,7 +101,7 @@ jobs:
           java-version: "23"
           github-token: ${{ secrets.GITHUB_TOKEN }}
       - name: "Setup: Initialize CodeQL"
-        uses: github/codeql-action/init@dd746615b3b9d728a6a37ca2045b68ca76d4841a # v3.28.8
+        uses: github/codeql-action/init@b56ba49b26e50535fa1e7f7db0f4f7b4bf65d80d # v3.28.10
         with:
           config-file: ./.github/codeql/codeql-config.yml
           languages: ${{ matrix.language }}
@@ -126,5 +126,5 @@ jobs:
             -x nativeCompile
             -x nativeOptimizedCompile
       - name: "Analysis: CodeQL"
-        uses: github/codeql-action/analyze@dd746615b3b9d728a6a37ca2045b68ca76d4841a # v3.28.8
+        uses: github/codeql-action/analyze@b56ba49b26e50535fa1e7f7db0f4f7b4bf65d80d # v3.28.10
         continue-on-error: true
diff --git a/.github/workflows/checks.detekt.yml b/.github/workflows/checks.detekt.yml
index 9cbc0e5cb..006e68617 100644
--- a/.github/workflows/checks.detekt.yml
+++ b/.github/workflows/checks.detekt.yml
@@ -99,6 +99,6 @@ jobs:
             -x nativeCompile \
             -x nativeOptimizedCompile
       - name: "Report: SARIF Upload"
-        uses: github/codeql-action/upload-sarif@dd746615b3b9d728a6a37ca2045b68ca76d4841a # v3.28.8
+        uses: github/codeql-action/upload-sarif@b56ba49b26e50535fa1e7f7db0f4f7b4bf65d80d # v3.28.10
         with:
           sarif_file: build/reports/detekt/detekt.sarif
diff --git a/.github/workflows/checks.qodana.yml b/.github/workflows/checks.qodana.yml
index 1d6f81377..fbecf0440 100644
--- a/.github/workflows/checks.qodana.yml
+++ b/.github/workflows/checks.qodana.yml
@@ -92,6 +92,6 @@ jobs:
         with:
           args: --baseline,qodana.sarif.json
       - name: "Report: SARIF Upload"
-        uses: github/codeql-action/upload-sarif@dd746615b3b9d728a6a37ca2045b68ca76d4841a # v3.28.8
+        uses: github/codeql-action/upload-sarif@b56ba49b26e50535fa1e7f7db0f4f7b4bf65d80d # v3.28.10
         with:
           sarif_file: ${{ runner.temp }}/qodana/results/qodana.sarif.json
diff --git a/.github/workflows/checks.scorecards.yml b/.github/workflows/checks.scorecards.yml
index 04a22364d..5890b2687 100644
--- a/.github/workflows/checks.scorecards.yml
+++ b/.github/workflows/checks.scorecards.yml
@@ -71,6 +71,6 @@ jobs:
           retention-days: 5
       # Upload the results to GitHub's code scanning dashboard.
       - name: "Artifact: Scorecard SARIF"
-        uses: github/codeql-action/upload-sarif@dd746615b3b9d728a6a37ca2045b68ca76d4841a # v3.28.8
+        uses: github/codeql-action/upload-sarif@b56ba49b26e50535fa1e7f7db0f4f7b4bf65d80d # v3.28.10
         with:
           sarif_file: results.sarif
diff --git a/packages/cli/detekt-baseline.xml b/packages/cli/detekt-baseline.xml
index c04cf591d..1515d5a0c 100644
--- a/packages/cli/detekt-baseline.xml
+++ b/packages/cli/detekt-baseline.xml
@@ -12,12 +12,6 @@
     <ID>ConstructorParameterNaming:AbstractSubcommand.kt$AbstractSubcommand.DefaultOutputController$private val _settings: ToolState.OutputSettings = _state.output</ID>
     <ID>ConstructorParameterNaming:AbstractSubcommand.kt$AbstractSubcommand.DefaultOutputController$private val _state: State</ID>
     <ID>ConstructorParameterNaming:AbstractSubcommand.kt$AbstractSubcommand.ToolExecutionContextImpl$private val _state: T</ID>
-    <ID>CyclomaticComplexMethod:NativeUtil.kt$NativeUtil$@Suppress("LongParameterList") @JvmStatic internal fun loadOrCopy( workdir: File, path: String, libName: String, loader: ClassLoader, allCandidatePaths: Sequence&lt;Path>, forceCopy: Boolean = false, forceLoad: Boolean = false, loadFromPath: Boolean = true, ): Pair&lt;Boolean, Boolean></ID>
-    <ID>CyclomaticComplexMethod:ToolShellCommand.kt$ToolShellCommand$override fun PolyglotEngineConfiguration.configureEngine(langs: EnumSet&lt;GuestLanguage>)</ID>
-    <ID>CyclomaticComplexMethod:ToolShellCommand.kt$ToolShellCommand$override suspend fun CommandContext.invoke(state: ToolContext&lt;ToolState>): CommandResult</ID>
-    <ID>CyclomaticComplexMethod:ToolShellCommand.kt$ToolShellCommand$private fun beginInteractiveSession( languages: EnumSet&lt;GuestLanguage>, primaryLanguage: GuestLanguage, engine: PolyglotEngine, ctxAccessor: ContextAccessor, )</ID>
-    <ID>CyclomaticComplexMethod:ToolShellCommand.kt$ToolShellCommand$private fun displayFormattedError( exc: Throwable, message: String, advice: String? = null, internal: Boolean = false, stacktrace: Boolean = internal, withCause: Boolean = true, )</ID>
-    <ID>CyclomaticComplexMethod:ToolShellCommand.kt$ToolShellCommand.LanguageSelector$internal fun resolveLangs(project: ProjectInfo? = null, alias: String? = null): EnumSet&lt;GuestLanguage></ID>
     <ID>FunctionParameterNaming:Statics.kt$Statics$`in`: InputStream</ID>
     <ID>LargeClass:ToolShellCommand.kt$ToolShellCommand : AbstractSubcommand</ID>
     <ID>LoopWithTooManyJumpStatements:ToolShellCommand.kt$ToolShellCommand$while</ID>
@@ -31,9 +25,9 @@
     <ID>MagicNumber:ToolShellCommand.kt$ToolShellCommand$1000L</ID>
     <ID>MagicNumber:ToolShellCommand.kt$ToolShellCommand$120</ID>
     <ID>MagicNumber:ToolShellCommand.kt$ToolShellCommand$40</ID>
+    <ID>MagicNumber:ToolShellCommand.kt$ToolShellCommand$80</ID>
     <ID>MatchingDeclarationName:SanityTests.kt$SanitySelfTest : SelfTest</ID>
     <ID>MaxLineLength:ToolShellCommand.kt$ToolShellCommand$" or: elide @|bold,fg(cyan) run|shell|serve|start|@ [OPTIONS] [@|bold,fg(cyan) -c|@|@|bold,fg(cyan) --code|@ CODE]"</ID>
-    <ID>NestedBlockDepth:main.kt$private suspend inline fun runInner(args: Array&lt;String>): Int</ID>
     <ID>ObjectPropertyNaming:Statics.kt$Statics$val `in`: InputStream get() = delegatedInStream.get() ?: System.`in`</ID>
     <ID>ReturnCount:ExecutionController.kt$ExecutionController$private fun toHost(polyglotException: PolyglotException): Throwable</ID>
     <ID>ReturnCount:NativeUtil.kt$NativeUtil$@Suppress("LongParameterList") @JvmStatic internal fun loadOrCopy( workdir: File, path: String, libName: String, loader: ClassLoader, allCandidatePaths: Sequence&lt;Path>, forceCopy: Boolean = false, forceLoad: Boolean = false, loadFromPath: Boolean = true, ): Pair&lt;Boolean, Boolean></ID>
@@ -70,7 +64,6 @@
     <ID>TooGenericExceptionCaught:ToolShellCommand.kt$ToolShellCommand$ioe: Exception</ID>
     <ID>TooGenericExceptionCaught:main.kt$err: RuntimeException</ID>
     <ID>TooGenericExceptionCaught:main.kt$err: Throwable</ID>
-    <ID>TooManyFunctions:ToolShellCommand.kt$ToolShellCommand : AbstractSubcommand</ID>
     <ID>TopLevelPropertyNaming:ToolInvokeCommand.kt$private const val jsHint = "package.json"</ID>
     <ID>TopLevelPropertyNaming:ToolInvokeCommand.kt$private const val pyHint = "requirements.txt"</ID>
     <ID>UnusedParameter:AbstractToolCommand.kt$AbstractToolCommand$args: Array&lt;String></ID>