---
id: architecture/w-7-cve-number-verify
name: Verify js-yaml CVE number in frontmatter.md
status: completed
depends_on: []
created: 2026-04-26T09:10:57.556575363Z
modified: 2026-04-26T09:10:57.556575883Z
scope: narrow
risk: medium
---

# Description

**Review ref**: W-7 (Warning)
**Files affected**: `docs/architecture/frontmatter.md`

The frontmatter doc references "CVE-2025-64718" for js-yaml prototype pollution. This CVE number appears incorrect — the sequence number is unusually high and no matching CVE was found. An incorrect CVE undermines the supply-chain security argument.

Verify the actual CVE number for js-yaml prototype pollution vulnerability. If the number can't be confirmed, replace with "referenced in npm audit database" or link to the npm advisory directly.

**Source**: `/docs/reviews/architecture-review-2026-04-26.md` W-7