Parent umbrella issue: #495
Source audit: Weekly tech debt audit: dispatch - 2026-07-01
Source audit date: 2026-07-01
Original recommendation
Security accepted risks doc lagging actual state
Evidence: SECURITY-ACCEPTED-RISKS.md says "no accepted npm runtime advisories" and last updated 2026-06-17. This is current but the document format could be expanded to track risks beyond npm (e.g., auth mode configuration drift, GitHub token exposure surface, dependency chain length).
Matched top finding
Evidence: SECURITY-ACCEPTED-RISKS.md says "no accepted npm runtime advisories" and last updated 2026-06-17. This is current but the document format could be expanded to track risks beyond npm (e.g., auth mode configuration drift, GitHub token exposure surface, dependency chain length).
Parent umbrella issue: #495
Source audit: Weekly tech debt audit: dispatch - 2026-07-01
Source audit date: 2026-07-01
Original recommendation
Security accepted risks doc lagging actual state
Evidence:
SECURITY-ACCEPTED-RISKS.mdsays "no accepted npm runtime advisories" and last updated 2026-06-17. This is current but the document format could be expanded to track risks beyond npm (e.g., auth mode configuration drift, GitHub token exposure surface, dependency chain length).Matched top finding
Evidence:
SECURITY-ACCEPTED-RISKS.mdsays "no accepted npm runtime advisories" and last updated 2026-06-17. This is current but the document format could be expanded to track risks beyond npm (e.g., auth mode configuration drift, GitHub token exposure surface, dependency chain length).