Skip to content

SEC-DOC-001B — Correct stale Functions production-audit count #243

Description

@daliu

Officer impact: None — this corrects one engineering risk-ledger sentence. It changes no page, officer task, permission, data, payment, provider, or live service.

Officer documentation: None — no current officer procedure or diagram changes.

Deployment evidence: None at creation. Closure must distinguish documentation source/tests/merge from website publication, Firebase deployment, provider state, production data, and live behavior.

Problem

On exact main 5dd3ba6d3bb966ed1d6fa987abf32d3530d5f96b, the SUPPLY-001C residual sentence in SECURITY.md says there are 9 Functions production findings.

Fresh Node 20.20.2 lockfile audits on that exact source show:

  • npm --prefix functions audit --omit=dev --json: 8 moderate affected packages, 0 high or critical.
  • npm --prefix functions audit --json: 9 moderate affected packages, 0 high or critical.

The ninth finding is present only when development dependencies are included. Calling all nine production findings contradicts the current RISK-014 summary and SUPPLY-001D1 ledger, both of which correctly report eight production findings.

Atomic outcome

Change only the SUPPLY-001C residual sentence from 9 Functions production findings to 8. Preserve the 6-root count, all remaining wording, every other SECURITY row, and all historical evidence.

Required proof

  • Both exact audit commands reproduce 8 production and 9 full-tree findings.
  • Exact diff is one phrase in one SECURITY.md row.
  • git diff --check, Markdown structure, and secret-pattern checks pass.
  • Two independent read-only truth/coordination reviews approve the exact hash.
  • Hosted and post-merge CI pass; deployment state is reported separately.

Exact ownership

  1. SECURITY.md — only the SUPPLY-001C residual sentence currently saying 6 root and 9 Functions production findings.

Exclusions

No package, lockfile, source, test, Rules, workflow, provider, deployment, schema, migration, production-data, RISK-014 summary, SUPPLY-001D1 row, or other documentation change. Do not run audit fix or accept the remaining findings as safe.

Dependencies and coordination

SUPPLY-001C #202, SUPPLY-001D1 #212, and #238/#239 are merged and released. #242 owns only Strava callback/account/officer-guide paths. No open PR or duplicate issue owns this sentence. Stop if a newer exact-row claim appears.

Claim protocol

Creation is not a claim. Before editing, re-read live comments, assign the issue, post a UTC timestamped claim with branch and exact base, and move status:ready to status:in-progress.

Metadata

Metadata

Assignees

Labels

documentationImprovements or additions to documentationpriority:P2Medium-priority follow-upsize:XSOwner decision or very narrow changetype:reliabilityReliability and recoverytype:securitySecurity or privacy boundary

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions