glm-5.1
e592caed57
Review of all ADR documents (001-007) and peripheral architecture docs identified 3 critical, 10 warning, and 7 suggestion issues. Addressed in this commit: - W-1: Add draft qualifier to ADR-002 reference to incremental exploration - W-2: Add Alternatives Considered section to ADR-001 - W-3: Add Document Lifecycle section to README.md (draft/stable/deprecated) - W-4: Clarify includeCompleted semantics (only 'completed' status triggers exclusion) - W-5: Document file I/O runtime constraints in frontmatter.md - W-6: Add ADR reference to architecture.md redirect - W-7: Verify CVE-2025-64718 (confirmed real, improved description) - W-9: Convert workspace-absolute paths to relative/monorepo references - S-7: Add future ADR-008 note to incremental-update-exploration.md Critical issues (C-1, C-2, C-3) and remaining warnings (W-8, W-10, S-4, S-5) were addressed by a parallel agent in a prior commit. All 16 review tasks created and resolved.
22 lines
856 B
Markdown
22 lines
856 B
Markdown
---
|
|
id: architecture/w-7-cve-number-verify
|
|
name: Verify js-yaml CVE number in frontmatter.md
|
|
status: completed
|
|
depends_on: []
|
|
created: 2026-04-26T09:10:57.556575363Z
|
|
modified: 2026-04-26T09:10:57.556575883Z
|
|
scope: narrow
|
|
risk: medium
|
|
---
|
|
|
|
# Description
|
|
|
|
**Review ref**: W-7 (Warning)
|
|
**Files affected**: `docs/architecture/frontmatter.md`
|
|
|
|
The frontmatter doc references "CVE-2025-64718" for js-yaml prototype pollution. This CVE number appears incorrect — the sequence number is unusually high and no matching CVE was found. An incorrect CVE undermines the supply-chain security argument.
|
|
|
|
Verify the actual CVE number for js-yaml prototype pollution vulnerability. If the number can't be confirmed, replace with "referenced in npm audit database" or link to the npm advisory directly.
|
|
|
|
**Source**: `/docs/reviews/architecture-review-2026-04-26.md` W-7
|