glm-5.1
e592caed57
Review of all ADR documents (001-007) and peripheral architecture docs identified 3 critical, 10 warning, and 7 suggestion issues. Addressed in this commit: - W-1: Add draft qualifier to ADR-002 reference to incremental exploration - W-2: Add Alternatives Considered section to ADR-001 - W-3: Add Document Lifecycle section to README.md (draft/stable/deprecated) - W-4: Clarify includeCompleted semantics (only 'completed' status triggers exclusion) - W-5: Document file I/O runtime constraints in frontmatter.md - W-6: Add ADR reference to architecture.md redirect - W-7: Verify CVE-2025-64718 (confirmed real, improved description) - W-9: Convert workspace-absolute paths to relative/monorepo references - S-7: Add future ADR-008 note to incremental-update-exploration.md Critical issues (C-1, C-2, C-3) and remaining warnings (W-8, W-10, S-4, S-5) were addressed by a parallel agent in a prior commit. All 16 review tasks created and resolved.
856 B
856 B
id, name, status, depends_on, created, modified, scope, risk
| id | name | status | depends_on | created | modified | scope | risk |
|---|---|---|---|---|---|---|---|
| architecture/w-7-cve-number-verify | Verify js-yaml CVE number in frontmatter.md | completed | 2026-04-26T09:10:57.556575363Z | 2026-04-26T09:10:57.556575883Z | narrow | medium |
Description
Review ref: W-7 (Warning)
Files affected: docs/architecture/frontmatter.md
The frontmatter doc references "CVE-2025-64718" for js-yaml prototype pollution. This CVE number appears incorrect — the sequence number is unusually high and no matching CVE was found. An incorrect CVE undermines the supply-chain security argument.
Verify the actual CVE number for js-yaml prototype pollution vulnerability. If the number can't be confirmed, replace with "referenced in npm audit database" or link to the npm advisory directly.
Source: /docs/reviews/architecture-review-2026-04-26.md W-7