le king fu f52e1e9e06 docs(security): seed STATE.md and SECURITY.md after vuln remediation

STATE.md follows the 3-section monorepo pattern (Position actuelle, Decisions
recentes, Blockers actifs). SECURITY.md tracks resolved CVE (4 HIGH xmldom)
and residuals (GHSA-w5hq-g745-h8pq uuid, non-exploitable in practice).

Refs #76

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

2026-04-24 07:30:41 -04:00

929 B

Raw Blame History

STATE — simpl-liste

Position actuelle

Version 1.6.1 (versionCode 13). Remediation vulnerabilites du defenseur en cours via overrides @xmldom/xmldom@^0.8.13 et uuid@^11.0.0 dans package.json (overnight 2026-04-24). 4 CVE HIGH xmldom nettoyees ; 1 advisory uuid residuelle non-exploitable en pratique (details dans SECURITY.md).

Decisions recentes

2026-04-24 : overrides xmldom + uuid (spec spec-decisions-vuln-simpl-liste.md) — PRs #77, #78, #79 (pending-human).
2026-04-23 : PR #71 merged — fix widget render-optimiste + timing instrumentation.
2026-04-18 : archive milestone spec-simpl-liste-web (12/12 done).

Blockers actifs

Advisory GHSA-w5hq-g745-h8pq (uuid <14.0.0) reste flaggee par npm audit apres override ^11 : non-exploitable (xcode/ngrok utilisent uuid.v4(), bug dans v3/v5/v6+buf). Decision Max requise : accepter le residuel ou tenter bump ^14 (risque ESM-only).

929 B Raw Blame History

STATE — simpl-liste

Position actuelle

Decisions recentes

Blockers actifs

929 B

Raw Blame History