eslint-plugin-traceability 1.8.0 → 1.8.2

package/docs/security-incidents/2025-11-17-glob-cli-incident.md

@@ -1,45 +0,0 @@
-# Security Incident Report: glob CLI Vulnerability
-
-**Date:** 2025-11-18 (Updated)
-
-**Dependency:** glob (versions 10.3.7 – 11.0.3) bundled in npm@11.6.2 within @semantic-release/npm@10.0.6
-
-**Vulnerability ID:** GHSA-5j98-mcp5-4vw2
-
-**Severity:** high
-
-**Description:**
-A command injection vulnerability in the glob CLI when using the `-c/--cmd` option, which executes matches with `shell:true`. An attacker able to control glob patterns could execute arbitrary shell commands.
-
-**Remediation:**
-
-- **Status:** Accepted as residual risk (bundled dependency - cannot be overridden)
-- **Fixed Version:** Awaiting upstream patch in npm package bundled within @semantic-release/npm
-
-**References:**
-
-- https://github.com/advisories/GHSA-5j98-mcp5-4vw2
-
-**Timeline:**
-
-- **2025-11-17:** Identified vulnerability in dev dependencies via npm audit
-- **2025-11-17:** Initial decision to monitor and await upstream patch
-- **2025-11-18:** Identified as bundled dependency in @semantic-release/npm that cannot be overridden
-- **2025-11-18:** Accepted as residual risk with documented mitigation
-
-**Impact Analysis:**
-This vulnerability affects development-time CLI tools bundled within the npm package used by semantic-release for automated publishing. The vulnerability requires specific CLI usage patterns (`-c/--cmd` flag) that are not used in our CI/CD workflow. The plugin itself does not pass untrusted patterns to glob. Risk to the project and downstream users is minimal as:
-- Dev dependency only (not in production)
-- Requires specific CLI flags not used in our workflow
-- Isolated to CI/CD publishing process
-- No end-user exposure
-
-**Testing:**
-Continuous `npm audit` checks in CI and pre-push hooks will detect if this vulnerability is resolved or if new vulnerabilities are introduced.
-
-**Status (2025-11-23):**
-As of 2025-11-23, dry-aged-deps reports no mature, dry-aged safe upgrade path for the affected glob dependency bundled via @semantic-release/npm. The risk remains accepted for dev-only tooling, with continued monitoring for an upstream fix.
-
-## Status Update
-
-This incident is now covered by `SECURITY-INCIDENT-2025-11-18-semantic-release-bundled-npm.known-error.md`. Refer to that document for the current status, compensating controls, and ongoing mitigation tracking.

package/docs/security-incidents/2025-11-18-brace-expansion-redos.md

@@ -1,45 +0,0 @@
-# Security Incident Report: brace-expansion ReDoS
-
-**Date:** 2025-11-18
-
-**Dependency:** brace-expansion (1.0.0 - 1.1.11 and 2.0.0 - 2.0.1) bundled in npm within @semantic-release/npm@10.0.6
-
-**Vulnerability ID:** GHSA-v6h2-p8h4-qcjw
-
-**Severity:** low
-
-**Description:**
-A Regular Expression Denial of Service (ReDoS) vulnerability in brace-expansion affecting versions 1.0.0-1.1.11 and 2.0.0-2.0.1. An attacker who can control the input to brace-expansion could cause high CPU usage through crafted regex patterns.
-
-**Remediation:**
-
-- **Status:** Accepted as residual risk (bundled dependency - cannot be overridden)
-- **Fixed Version:** Awaiting upstream patch in npm package bundled within @semantic-release/npm
-
-**References:**
-
-- https://github.com/advisories/GHSA-v6h2-p8h4-qcjw
-
-**Timeline:**
-
-- **2025-11-18:** Identified vulnerability in dev dependencies via npm audit
-- **2025-11-18:** Identified as bundled dependency in @semantic-release/npm that cannot be overridden
-- **2025-11-18:** Accepted as residual risk with documented mitigation
-
-**Impact Analysis:**
-This vulnerability affects development-time dependencies bundled within the npm package used by semantic-release for automated publishing. The ReDoS vulnerability requires control over input patterns to brace-expansion, which is not exposed in our CI/CD workflow. Risk to the project and downstream users is minimal as:
-- Dev dependency only (not in production)
-- Low severity (DoS only, no data exposure)
-- Requires attacker-controlled input patterns
-- Isolated to CI/CD publishing process
-- No end-user exposure
-- No production code impact
-
-**Testing:**
-Continuous `npm audit` checks in CI and pre-push hooks will detect if this vulnerability is resolved or if new vulnerabilities are introduced.
-
-**Status Update (2025-11-23):**
-As of 2025-11-23, there is still no mature, dry-aged safe upgrade path available according to dry-aged-deps for the bundled npm dependency chain containing brace-expansion. The vulnerability continues to be tracked, and the risk remains accepted as a dev-only residual risk with no production impact.
-
-**Status Update (2025-12-03):**
-This incident is now covered by `SECURITY-INCIDENT-2025-11-18-semantic-release-bundled-npm.known-error.md`. Please refer to that document for the current status, mitigation details, and compensating controls.

package/docs/security-incidents/2025-11-18-bundled-dev-deps-accepted-risk.md

@@ -1,93 +0,0 @@
-# Security Incident (Historical): Bundled Dev Dependencies Accepted as Residual Risk
-
-**Date**: 2025-11-18  
-**Severity**: High (glob), Low (brace-expansion)  
-**Status**: Superseded by known error record (historical context only)  
-**Affected Package**: @semantic-release/npm@10.0.6 (bundled dependencies)
-
-## Superseded Notice
-
-This incident document has been superseded by the known error record:  
-**[SECURITY-INCIDENT-2025-11-18-semantic-release-bundled-npm.known-error.md](SECURITY-INCIDENT-2025-11-18-semantic-release-bundled-npm.known-error.md)**
-
-It is retained only for historical background and should not be used as the current source of truth for status or mitigation details.
-
-## Summary
-
-The @semantic-release/npm package (v10.0.6) includes the npm package which bundles vulnerable versions of glob and brace-expansion that cannot be automatically fixed or overridden.
-
-Where possible, we now mitigate related transitive risks via explicit `package.json` overrides (e.g., glob, tar, http-cache-semantics, ip, semver, socks). However, the specific npm instance bundled inside @semantic-release/npm remains partially outside our direct control. The accepted residual risk described in this document applies only to those un-overridable, bundled instances.
-
-## Vulnerabilities
-
-### 1. glob CLI Vulnerability (GHSA-5j98-mcp5-4vw2)
-- **Severity**: High
-- **Affected versions**: glob 10.3.7 - 11.0.3
-- **Status**: Accepted as residual risk
-- **Rationale**: 
-  - Dev-dependency only (used by semantic-release for publishing)
-  - Vulnerability requires specific CLI usage (`-c/--cmd` flag) not used in our workflow
-  - Bundled dependency cannot be overridden within the npm copy embedded in @semantic-release/npm
-  - Transitive glob risks in the wider dependency graph are additionally mitigated via explicit `package.json` overrides
-  - No production impact
-  - Awaiting upstream patch in npm package
-
-### 2. brace-expansion ReDoS (GHSA-v6h2-p8h4-qcjw)
-- **Severity**: Low
-- **Affected versions**: 1.0.0 - 1.1.11 and 2.0.0 - 2.0.1
-- **Status**: Accepted as residual risk
-- **Rationale**:
-  - Dev-dependency only (bundled in npm package within @semantic-release/npm)
-  - Low severity ReDoS requires attacker-controlled input patterns
-  - No production impact
-  - Bundled dependency within the embedded npm cannot be overridden
-  - Related transitive ReDoS surface is further constrained via dependency overrides where technically feasible
-  - Awaiting upstream patch in npm package
-
-## Risk Acceptance Decision
-
-**Decision**: Accept these vulnerabilities as residual risk  
-**Decision Date**: 2025-11-18  
-**Reviewed By**: Automated security assessment
-
-**Justification**:
-1. **Scope Limitation**: Dev-dependency only (used by semantic-release for publishing in CI/CD)
-2. **No Production Impact**: Vulnerabilities isolated to development/publishing process, no end-user or production code exposure
-3. **Usage Pattern**: The glob CLI vulnerability requires specific `-c/--cmd` flag usage not present in our workflow
-4. **Technical Constraint**: Bundled dependencies within the npm package embedded in @semantic-release/npm cannot be overridden via package.json
-5. **Risk Narrowing via Overrides**: For non-bundled, transitive dependencies we enforce safer versions via explicit `package.json` overrides (glob, tar, http-cache-semantics, ip, semver, socks), so the accepted residual risk applies only to the remaining un-overridable, bundled instances
-6. **Severity vs Impact**: Low/High severity ratings don't reflect actual risk given our limited usage context and CI/CD isolation
-7. **Monitoring & Controls**: Continuing to monitor for upstream patches in npm and semantic-release packages, and relying on additional CI safety checks (e.g., `ci-safety-deps`, `dry-aged-deps`) to catch regressions or newly introduced risky versions
-
-## Mitigation Measures
-
-- Continue monitoring npm audit reports for upstream fixes
-- Review and upgrade semantic-release packages when new versions are released
-- Enforce explicit `package.json` overrides for vulnerable or risky transitive dependencies where technically possible (e.g., glob, tar, http-cache-semantics, ip, semver, socks)
-- Use CI dependency safety tooling (`ci-safety-deps`, `dry-aged-deps`) to:
-  - Detect newly introduced vulnerable versions
-  - Ensure overrides remain effective across dependency updates
-- Isolate CI/CD publishing process from untrusted input
-- Regular (weekly) review of dev-dependency audit status
-
-## Review Schedule
-
-- **Next Review**: 2025-11-25 (7 days)
-- **Escalation Trigger**: New vulnerability in bundled dependencies OR upstream patch available
-
-## Related Incidents
-
-- [2025-11-17 glob CLI incident](2025-11-17-glob-cli-incident.md) - Original glob vulnerability documentation
-
-## Previously Resolved
-
-- **js-yaml (GHSA-mh29-5h37-fv8m)**: Prototype pollution vulnerability resolved by upgrading to `js-yaml` >= 4.1.1 via `npm audit fix` and package.json override.
-- **tar (node-tar) (CVE-2023-47146)**: Arbitrary file write via directory traversal vulnerability resolved by enforcing `tar` >= 6.1.11 via package.json override.
-- **tar race condition (GHSA-29xp-372q-xqph)**: Resolved by downgrading semantic-release packages to v10.x/v21.x which don't bundle vulnerable npm versions.
-
-## Status Update (2025-11-23)
-
-As of 2025-11-23:
-- The previously documented glob/npm/brace-expansion vulnerabilities remain present only within dev tooling (semantic-release/@semantic-release/npm bundled npm).
-- `dry-aged-deps` has not yet surfaced a mature, vulnerability-free upgrade path for the affected semantic-release/npm combination.
-- The existing risk acceptance decision is unchanged and remains in force, and will be revisited once a stable, vulnerability-free upgrade is available and validated by our dependency safety tooling.

package/docs/security-incidents/2025-11-18-tar-race-condition.md

@@ -1,43 +0,0 @@
-# Security Incident Report: tar Race Condition
-
-**Date:** 2025-11-18
-
-**Dependency:** tar@7.5.1 bundled in npm@11.6.2 within @semantic-release/npm@10.0.6
-
-**Vulnerability ID:** GHSA-29xp-372q-xqph
-
-**Severity:** moderate
-
-**Description:**
-A race condition vulnerability in node-tar that can lead to uninitialized memory exposure. This vulnerability affects tar version 7.5.1 specifically.
-
-**Remediation:**
-
-- **Status:** Mitigated / resolved via dependency overrides and upstream updates
-- **Fixed Version:** tar >=6.1.12 enforced via overrides; current npm audit reports no active tar-related vulnerabilities in the dependency tree.
-
-**References:**
-
-- https://github.com/advisories/GHSA-29xp-372q-xqph
-
-**Timeline:**
-
-- **2025-11-18:** Identified vulnerability in dev dependencies via npm audit
-- **2025-11-18:** Identified as bundled dependency in @semantic-release/npm that cannot be overridden
-- **2025-11-18:** Accepted as residual risk with documented mitigation
-- **2025-11-21:** Confirmed mitigated: overrides in package.json and upstream updates mean npm audit no longer reports GHSA-29xp-372q-xqph for this project. Incident reclassified from residual risk to resolved.
-
-**Impact Analysis:**
-This vulnerability affects development-time dependencies bundled within the npm package used by semantic-release for automated publishing. The race condition requires specific timing conditions and is isolated to the CI/CD publishing process. Risk to the project and downstream users is minimal as:
-- Dev dependency only (not in production)
-- Race condition requires specific timing scenarios
-- Isolated to CI/CD publishing process
-- No end-user exposure
-- No production code impact
-
-**Current Status (as of 2025-11-21):**
-
-Subsequent dependency updates and the `tar` override (`tar >=6.1.12`) have removed the vulnerable version from the active dependency graph. Automated `npm audit --omit=dev --audit-level=high` checks report no tar-related vulnerabilities. This incident remains documented for historical purposes but does not represent an ongoing risk.
-
-**Testing:**
-Continuous `npm audit` checks in CI and pre-push hooks will detect if this vulnerability is resolved or if new vulnerabilities are introduced.

package/docs/security-incidents/2025-12-03-dependency-health-review.md

@@ -1,58 +0,0 @@
-# Dependency Health Review - 2025-12-03
-
-**Date:** 2025-12-03
-
-This document records the dependency health status of the project as of 2025-12-03, based on `dry-aged-deps` and existing security incident records.
-
-## Tools and Inputs
-
-- `npm run deps:maturity -- --format=json --check`
-- `npm audit --omit=dev --audit-level=high` (via `ci-verify:full`)
-- Dev-dependency audit snapshot: `docs/security-incidents/dev-deps-high.json`
-- Known error record: `docs/security-incidents/SECURITY-INCIDENT-2025-11-18-semantic-release-bundled-npm.known-error.md`
-
-## dry-aged-deps Summary
-
-Running `npm run deps:maturity -- --format=json --check` produced the following high-level summary:
-
-```json
-{
-  "packages": [],
-  "summary": {
-    "totalOutdated": 0,
-    "safeUpdates": 0,
-    "filteredByAge": 0,
-    "filteredBySecurity": 0,
-    "thresholds": {
-      "prod": { "minAge": 7, "minSeverity": "none" },
-      "dev": { "minAge": 7, "minSeverity": "none" }
-    }
-  }
-}
-```
-
-Interpretation:
-
-- `packages: []` indicates that `dry-aged-deps` did not identify any direct or transitive dependencies with dry-aged-safe upgrade candidates under the current thresholds.
-- `totalOutdated: 0` and `safeUpdates: 0` confirm that, as of this run, there are no library updates that meet the project’s maturity and security criteria.
-
-## Production Dependency Health
-
-- `npm audit --omit=dev --audit-level=high` currently reports **0 high-severity (or higher) vulnerabilities** for production dependencies.
-- This check is enforced as part of `npm run ci-verify:full` and runs on every push to `main` in the CI/CD pipeline.
-
-## Development Dependency Health
-
-- High-severity dev-only vulnerabilities are tracked in `docs/security-incidents/dev-deps-high.json` and surfaced via `npm run audit:dev-high` and `npm run safety:deps`.
-- The remaining known high-severity items are limited to the bundled `npm` and its transitive `glob`/`brace-expansion` dependencies inside `@semantic-release/npm`, as documented in `SECURITY-INCIDENT-2025-11-18-semantic-release-bundled-npm.known-error.md` and the ADR `adr-accept-dev-dep-risk-glob.md`.
-- `dry-aged-deps` currently reports no safe, policy-compliant upgrade path for this toolchain; specifically, there are no candidates that both:
-  - Satisfy the configured minimum age thresholds for prod and dev dependencies, and
-  - Resolve the bundled `glob`/`brace-expansion` advisories without introducing new issues.
-
-## Conclusion
-
-- **No dependency updates were applied** as a result of this review, because `dry-aged-deps` reported `totalOutdated: 0` and `safeUpdates: 0`.
-- Production dependencies remain free of high-severity vulnerabilities according to `npm audit --omit=dev --audit-level=high`.
-- The previously documented dev-only vulnerability in the semantic-release/npm toolchain remains a **known error** with compensating controls and is still considered an accepted residual risk.
-
-This document should be updated or superseded on subsequent dependency health reviews when `dry-aged-deps` identifies new safe upgrade candidates or when the known error for the semantic-release/npm toolchain is resolved.

package/docs/security-incidents/SECURITY-INCIDENT-2025-11-18-semantic-release-bundled-npm.known-error.md

@@ -1,104 +0,0 @@
-# Security Incident Report: semantic-release bundled npm/glob/brace-expansion
-
-**Date:** 2025-11-18
-
-**Dependency:** @semantic-release/npm@10.0.6 (bundled npm@9.5.0 with glob and brace-expansion)
-
-**Vulnerability ID:** GHSA-5j98-mcp5-4vw2 (glob CLI), GHSA-v6h2-p8h4-qcjw (brace-expansion ReDoS)
-
-**Severity:** High (glob via npm), Low (brace-expansion)
-
-**Description:**
-
-The `@semantic-release/npm@10.0.6` dev dependency bundles `npm@9.5.0`, which in turn includes vulnerable versions of `glob` and `brace-expansion`:
-
-- `glob` (10.2.010.4.5) is affected by command injection when the glob CLI is invoked with the `-c/--cmd` flag (`GHSA-5j98-mcp5-4vw2`).
-- `brace-expansion` (1.0.01.1.11 and 2.0.02.0.1) is affected by a Regular Expression Denial of Service (ReDoS) issue (`GHSA-v6h2-p8h4-qcjw`).
-
-These vulnerable packages are *only* present inside the npm binary bundled within `@semantic-release/npm`. They are **not** part of the production dependency tree used by the published `eslint-plugin-traceability` package.
-
-**Remediation:**
-
-- **Status:** Known error with compensating controls (dev-only tooling)
-- **Fixed Version:** Pending
-
-As of 2025-12-03:
-
-- `npm run deps:maturity -- --format=json` reports no safe, dry-aged upgrade candidates for `@semantic-release/npm` within the current semantic-release v21.x toolchain used by this project.
-- Upgrading to the latest `semantic-release@25.x` and `@semantic-release/npm@13.1.2` would require a coordinated major toolchain migration and may still embed a bundled `npm` implementation; the security characteristics of that new bundle have not yet been fully evaluated.
-
-Given these constraints, the project treats this as a **known error** in dev-only tooling and applies compensating controls instead of attempting a premature upgrade.
-
-**References:**
-
-- GitHub Security Advisory (glob CLI): https://github.com/advisories/GHSA-5j98-mcp5-4vw2
-- GitHub Security Advisory (brace-expansion): https://github.com/advisories/GHSA-v6h2-p8h4-qcjw
-- Dev dependency audit snapshot: `docs/security-incidents/dev-deps-high.json`
-- Prior incident notes:
-  - `docs/security-incidents/2025-11-17-glob-cli-incident.md`
-  - `docs/security-incidents/2025-11-18-brace-expansion-redos.md`
-  - `docs/security-incidents/2025-11-18-bundled-dev-deps-accepted-risk.md`
-
-**Timeline:**
-
-- **2025-11-17**: High-severity `glob` and `npm` dev-dependency issues detected via `npm audit` and captured in `dev-deps-high.json`.
-- **2025-11-18**: Initial incident markdown files created to document residual risk in bundled dev dependencies within `@semantic-release/npm`.
-- **2025-11-23**: Confirmed that no mature, safe upgrade path was available via `dry-aged-deps`; residual risk kept under review.
-- **2025-12-03**: Incident converted into a formal `SECURITY-INCIDENT-*.known-error.md` record with explicit compensating controls and linkage to CI/CD configuration.
-
-**Impact Analysis:**
-
-- The vulnerable `glob` and `brace-expansion` instances exist exclusively inside the npm CLI bundled with `@semantic-release/npm` and are only used during automated release publishing from CI.
-- There is **no** impact on:
-  - The published eslint plugin runtime (`eslint-plugin-traceability`).
-  - End-user projects that consume this plugin.
-  - Production dependency trees (`npm audit --production` reports 0 vulnerabilities).
-- Exploitability in this projects context is low because:
-  - CI workflows do not invoke the `glob` CLI with `-c/--cmd` and do not expose untrusted patterns to the bundled npm CLI.
-  - The semantic-release job runs in a controlled CI environment with a tightly scoped `NPM_TOKEN` and no untrusted user input.
-  - The primary risk is limited to the release automation environment, not to downstream users.
-
-**Compensating Controls:**
-
-1. **Environment Isolation**
-   - The vulnerable tooling is only executed in the `quality-and-deploy` job of `.github/workflows/ci-cd.yml` on pushes to the `main` branch.
-   - Job-level permissions are scoped to the minimum required for releases (`contents`, `issues`, `pull-requests`, `id-token`). No additional permissions are granted.
-   - The job runs on GitHub-hosted runners and does not have access to any internal infrastructure.
-
-2. **Dependency and Audit Controls**
-   - `npm audit --omit=dev --audit-level=high` is enforced as part of `npm run ci-verify:full` to ensure production dependencies are free of high-severity issues.
-   - `npm run audit:dev-high` (via `scripts/generate-dev-deps-audit.js`) continuously records high-severity dev-only vulnerabilities into `ci/npm-audit.json` for review.
-   - `npm run safety:deps` (via `scripts/ci-safety-deps.js`) runs `dry-aged-deps` to validate that no safe, dry-aged upgrades are currently available; this output is published as a CI artifact.
-   - `package.json` uses `overrides` to enforce safer versions of many transitive dependencies (e.g., `glob`, `tar`, `http-cache-semantics`, `ip`, `semver`, `socks`) wherever technically possible. These overrides do **not** affect the npm binary bundled within `@semantic-release/npm`, but they reduce the surrounding attack surface.
-
-3. **Usage Constraints**
-   - Project scripts and CI workflows never invoke `glob` with the `-c/--cmd` options, eliminating the known command-injection vector in normal operation.
-   - The release job does not accept untrusted user input that could influence file patterns or environment variables passed to the bundled npm CLI.
-
-4. **Monitoring and Review**
-   - The nightly `dependency-health` job runs `npm run audit:dev-high` to keep dev-dependency vulnerabilities under continuous review.
-   - `docs/decisions/adr-accept-dev-dep-risk-glob.md` documents this decision and requires weekly reassessment using the CI audit artifacts.
-   - Any change in `dev-deps-high.json` that indicates the availability of a patched, dry-aged-safe version of `@semantic-release/npm` or its bundled npm will trigger reevaluation and, if feasible, an upgrade.
-
-**Testing:**
-
-- `npm run ci-verify:full` (used in CI and pre-push) validates:
-  - Build and type-check succeed.
-  - Linting, duplication, and traceability checks pass.
-  - Jest test suite (with coverage) passes.
-  - `npm audit --omit=dev --audit-level=high` passes (production dependencies clean).
-  - `npm run audit:dev-high` and `npm run safety:deps` complete and publish audit artifacts.
-- The semantic-release publishing step is followed, when a new version is published, by `scripts/smoke-test.sh`, which installs the freshly published package in an isolated temp project and validates that the plugin loads correctly. This ensures that any future upgrade of the release toolchain preserves expected behavior.
-
-**Planned Follow-ups:**
-
-- Periodically re-run `npm run deps:maturity -- --format=json --check` when updating dev dependencies to identify a safe, vulnerability-free version of `@semantic-release/npm` or an alternative release mechanism.
-- When a safe, dry-aged-compatible upgrade path is available, migrate to a newer semantic-release/npm toolchain and retire this known error record by adding a **Resolved** section documenting the change.
-
-Created autonomously by voder.ai
-
-## Relationship to User-Facing Guarantees
-
-This known error is limited to dev-only release tooling and does not change the security guarantees described in the README and user documentation. The vulnerable `glob` and `brace-expansion` instances are only executed inside GitHub Actions during semantic-release; they are never run when users install or run `eslint-plugin-traceability` or `traceability-maint`.
-
-The combination of `npm audit --omit=dev --audit-level=high` and `dry-aged-deps` checks is what allows the project to assert that published versions do not ship with known high-severity vulnerabilities in their **production** dependency tree. Because the affected code is confined to CI release automation and excluded from the published runtime dependencies, the security posture promised to end users remains intact.

package/docs/security-incidents/SECURITY-INCIDENT-TEMPLATE.md

@@ -1,37 +0,0 @@
-# Security Incident Report
-
-**Date:** YYYY-MM-DD
-
-**Dependency:** <package name>@<version>
-
-**Vulnerability ID:** <CVE or GHSA identifier>
-
-**Severity:** <severity level>
-
-**Description:**
-
-A detailed description of the vulnerability, its impact on our project, and any relevant context or references.
-
-**Remediation:**
-
-- **Status:** [Patched/Workaround/Monitor/Other]
-- **Fixed Version:** <version> (if patched) or describe workaround/monitor plan
-
-**References:**
-
-- Link to vulnerability advisory or CVE: <URL>
-- Link to any relevant PRs, issues, or documentation: <URL>
-
-**Timeline:**
-
-- [Date] Identified vulnerability
-- [Date] Decision made to remediate or monitor
-- [Date] Applied patch or workaround
-
-**Impact Analysis:**
-
-Describe the potential impact of the vulnerability on our project.
-
-**Testing:**
-
-Describe any tests or checks added to validate the remediation (e.g., automated audits, dependency pinning).

package/docs/security-incidents/dependency-override-rationale.md

@@ -1,57 +0,0 @@
-# Dependency Override Rationale
-
-**Date:** 2025-11-18
-
-This document provides the rationale for each manual dependency override specified in `package.json` under the `overrides` section. Manual overrides bypass the automated recommendation tool (`dry-aged-deps`) and may introduce residual risk; thus, each override is documented with a risk assessment and justification.
-
-## glob @ 12.0.0
-- **Reason:** Mitigate GHSA-5j98-mcp5-4vw2 (glob CLI command injection) affecting versions 10.3.7–11.0.3 by pinning to 12.0.0 which includes upstream fixes.
-- **Role:** Transitive dev-dependency in `@semantic-release/npm`.
-- **Risk Assessment:** Residual risk low; dev-only, no production exposure, specific CLI flag not used.
-- **Documentation:** See [glob CLI incident](2025-11-17-glob-cli-incident.md).
-
-## tar @ >=6.1.12
-- **Reason:** Address CVE-2023-47146 (directory traversal) and GHSA-29xp-372q-xqph (race condition) by requiring tar ≥6.1.12.
-- **Role:** Transitive dependency for packaging; dev-only.
-- **Risk Assessment:** Low; no untrusted archive processing in project.
-- **Documentation:** See [tar race condition incident](2025-11-18-tar-race-condition.md).
-
-## http-cache-semantics @ >=4.1.1
-- **Reason:** Upgrade to version addressing a moderate severity HTTP caching vulnerability.
-- **Role:** Transitive dev-dependency in caching libraries.
-- **Risk Assessment:** Low; dev-only, isolated impact.
-- **References:** https://github.com/advisories/GHSA-rc47-6667-r5fw
-
-## ip @ >=2.0.2
-- **Reason:** Address vulnerability in the `ip` package (e.g., GHSA-xxxx).
-- **Role:** Transitive dev-dependency.
-- **Risk Assessment:** Low; dev-only.
-- **References:** https://github.com/advisories/GHSA-5jpg-2xvr-rw5w
-
-## semver @ >=7.5.2
-- **Reason:** Mitigate advisory in `semver` package affecting version parsing (GHSA-xxxx).
-- **Role:** Transitive dev-dependency.
-- **Risk Assessment:** Low; dev-only.
-- **References:** https://github.com/advisories/GHSA-vwqq-5vrc-xw9h
-
-## socks @ >=2.7.2
-- **Reason:** Upgrade to version addressing security advisory in `socks` package (GHSA-xxxx).
-- **Role:** Transitive dev-dependency.
-- **Risk Assessment:** Low; dev-only.
-- **References:** https://github.com/advisories/GHSA-5v9h-799p-53ph
-
-## Mitigation and Next Steps
-- Monitor `npm audit` and `dry-aged-deps` recommendations for upstream patches.
-- Remove manual overrides when safe versions are released and validated.
-- Document any new overrides following the procedure in `handling-procedure.md`.
-
-## Relationship to Dev-Dependencies Audit
-
-The overrides for `glob`, `tar`, `http-cache-semantics`, `ip`, `semver`, and `socks` correspond directly to the accepted-risk items captured in the dev-dependencies audit snapshot (`dev-deps-high.json`). The CI helper script `ci-safety-deps.js` runs `dry-aged-deps` (or a stable fallback when `dry-aged-deps` is unavailable) to generate machine-readable vulnerability reports. These reports, together with `dev-deps-high.json`, are used whenever we reassess and either renew, tighten, or remove these accepted-risk overrides.
-
-## Alignment with dry-aged-deps
-
-- The current manual overrides are layered on top of the `dry-aged-deps` maturity rules: `dry-aged-deps` still runs in CI and informs us of any newer, sufficiently “aged” versions, while overrides define explicit, reviewed exceptions.
-- Overrides are only added after `dry-aged-deps` output and security advisories have been reviewed, and they are periodically revalidated against fresh `dry-aged-deps` runs to ensure we are not blocking safe, tool-recommended upgrades.
-- As of 2025-12-03, a fresh `npm run deps:maturity -- --format=json --check` run reported `totalOutdated: 0` and `safeUpdates: 0`, confirming that `dry-aged-deps` does not currently recommend newer versions for any of the overridden packages.
-- When future `dry-aged-deps` runs begin to report non-zero `safeUpdates` for these packages, we will reassess each override, prefer tool-aligned upgrades where feasible, and remove or narrow overrides once upgraded versions are validated.

package/docs/security-incidents/dev-deps-high.json

@@ -1,116 +0,0 @@
-{
-  "auditReportVersion": 2,
-  "vulnerabilities": {
-    "brace-expansion": {
-      "name": "brace-expansion",
-      "severity": "low",
-      "isDirect": false,
-      "via": [
-        {
-          "source": 1105443,
-          "name": "brace-expansion",
-          "dependency": "brace-expansion",
-          "title": "brace-expansion Regular Expression Denial of Service vulnerability",
-          "url": "https://github.com/advisories/GHSA-v6h2-p8h4-qcjw",
-          "severity": "low",
-          "cwe": [
-            "CWE-400"
-          ],
-          "cvss": {
-            "score": 3.1,
-            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L"
-          },
-          "range": ">=1.0.0 <=1.1.11"
-        },
-        {
-          "source": 1105444,
-          "name": "brace-expansion",
-          "dependency": "brace-expansion",
-          "title": "brace-expansion Regular Expression Denial of Service vulnerability",
-          "url": "https://github.com/advisories/GHSA-v6h2-p8h4-qcjw",
-          "severity": "low",
-          "cwe": [
-            "CWE-400"
-          ],
-          "cvss": {
-            "score": 3.1,
-            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L"
-          },
-          "range": ">=2.0.0 <=2.0.1"
-        }
-      ],
-      "effects": [],
-      "range": "1.0.0 - 1.1.11 || 2.0.0 - 2.0.1",
-      "nodes": [
-        "node_modules/@semantic-release/npm/node_modules/npm/node_modules/brace-expansion",
-        "node_modules/@semantic-release/npm/node_modules/npm/node_modules/node-gyp/node_modules/brace-expansion",
-        "node_modules/@semantic-release/npm/node_modules/npm/node_modules/node-gyp/node_modules/cacache/node_modules/brace-expansion",
-        "node_modules/@semantic-release/npm/node_modules/npm/node_modules/rimraf/node_modules/brace-expansion"
-      ],
-      "fixAvailable": true
-    },
-    "glob": {
-      "name": "glob",
-      "severity": "high",
-      "isDirect": false,
-      "via": [
-        {
-          "source": 1109842,
-          "name": "glob",
-          "dependency": "glob",
-          "title": "glob CLI: Command injection via -c/--cmd executes matches with shell:true",
-          "url": "https://github.com/advisories/GHSA-5j98-mcp5-4vw2",
-          "severity": "high",
-          "cwe": [
-            "CWE-78"
-          ],
-          "cvss": {
-            "score": 7.5,
-            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"
-          },
-          "range": ">=10.2.0 <10.5.0"
-        }
-      ],
-      "effects": [
-        "npm"
-      ],
-      "range": "10.2.0 - 10.4.5",
-      "nodes": [
-        "node_modules/@semantic-release/npm/node_modules/npm/node_modules/glob"
-      ],
-      "fixAvailable": true
-    },
-    "npm": {
-      "name": "npm",
-      "severity": "high",
-      "isDirect": false,
-      "via": [
-        "glob"
-      ],
-      "effects": [],
-      "range": "7.21.0 - 8.5.4 || 9.6.6 - 11.6.0",
-      "nodes": [
-        "node_modules/@semantic-release/npm/node_modules/npm"
-      ],
-      "fixAvailable": true
-    }
-  },
-  "metadata": {
-    "vulnerabilities": {
-      "info": 0,
-      "low": 1,
-      "moderate": 0,
-      "high": 2,
-      "critical": 0,
-      "total": 3
-    },
-    "dependencies": {
-      "prod": 1,
-      "dev": 1066,
-      "optional": 33,
-      "peer": 0,
-      "peerOptional": 0,
-      "total": 1066
-    }
-  }
-}