docs(GH-148): refresh dep-audit status block after re-run

[GOkasha]

Summary

• Adds a status update block to projects/ecommerce-accountant-software/dep-audit-2026-05-20.md.
• Records the verified npm-audit re-run result: 0 critical / 0 high / 2 moderate / 0 low.
• Confirms all original high vulnerabilities are cleared.
• Records that the remaining moderate advisories trace to postcss <8.5.10, still pinned through
  ext@16.2.6.
• Keeps the original 2026-05-20 audit body preserved as a historical snapshot.

Validation

• Read-only
  pm audit --json was run.
• No
  pm audit fix,
  pm install, or
  pm update was run.
• App workspace remained clean.
• Only one ApexYard docs file changed.
• No app code, Prisma, migrations, package files, or .env files were touched.

Glossary

Term	Meaning
GHSA	GitHub Security Advisory ID.
Umbrella ticket	A tracker issue grouping child remediation issues.
Disposition decision	The chosen handling for an advisory: fix, override, accept, or wait for upstream.
npm overrides	A package.json mechanism to force a transitive dependency version.
Prepend block	A new status section added above an old report while preserving the original snapshot.

Notes

• This PR is in GOkasha/apexyard, not the app repo.
• The app-side tracker is GOkasha/ecommerce-accountant-software#148.
• This does not close [Docs] Correct privacy-gate wording — adopter action, not framework auto-publish me2resh/apexyard#148 yet because feat(#150): bootstrap-skill exemption + Bash-write coverage me2resh/apexyard#152 and [Chore] Extend Bash-write matcher in _lib-detect-bash-write.sh beyond first-version coverage me2resh/apexyard#153 remain open.
• The commit was created from the normal VS Code terminal because Claude's PreToolUse commit hook mis-parsed the commit message format during tool execution.

Refs GOkasha/ecommerce-accountant-software#148

[GOkasha]

Code Review: PR #5

Commit reviewed: e80b1de06325caf743a88f8e398057b0fb714568

Summary

Docs-only PR. Single file (projects/ecommerce-accountant-software/dep-audit-2026-05-20.md) gets a ## Status update — 2026-05-21 block prepended above the original 2026-05-20 audit. The original 361-line audit body is preserved byte-identical below the new section (verified via git diff e80b1de~1 e80b1de: only the ## 1. Summary line appears as the context for the prepend; no edits below it). Records the re-run npm-audit result (0/0/2/0, down from 0/5/2/0), cross-references the 4 closed audit items to their resolution PRs in the app repo, calls out that the postcss XSS moderate did NOT auto-resolve as the original audit predicted, and lays out the closure conditions for the me2resh#148 umbrella.

Checklist Results

• ✅ Architecture & Design: N/A — docs only.
• ✅ Code Quality: N/A — docs only. Tables are well-formed; markdown lint CI is green.
• ✅ Testing: N/A — docs only.
• ✅ Security: PASS — no secrets, no credentials, no app code touched. The doc accurately reports the residual postcss XSS advisory and defers the disposition decision to me2resh#152 (correct shape — disposition is a decision, decisions need an AgDR, AgDR belongs with the decision ticket).
• ✅ Performance: N/A.
• ✅ PR Description & Glossary: PASS — Glossary present with 5 rows (GHSA, Umbrella ticket, Disposition decision, npm overrides, Prepend block). All terms used in the body are explained. PR title docs(GH-148): conforms to .claude/rules/git-conventions.md.
• ✅ Technical Decisions (AgDR): N/A — this is a status refresh, not a new decision. The diff explicitly defers disposition options (a) npm overrides, (b) explicit acceptance in DECISIONS_LOG.md, (c) wait for Next 16.2.7+ to me2resh#152's own AC. That's the correct boundary per .claude/rules/agdr-decisions.md — the AgDR will be authored when me2resh#152 is resolved, not in this status-update PR.
• ✅ Adopter Handbooks: N/A — no handbooks/ files apply to a docs-only ops-repo PR.

Verifications performed

• Body preservation: confirmed prepend-only. git diff shows the only context line below the new --- separator is ### Vulnerability counts (npm audit) — content from the original audit. Line count: 361 → 419, delta +58 (matches +59 -1 net).
• Cross-repo references resolve: spot-checked GOkasha/ecommerce-accountant-software#148 (OPEN), #152 (OPEN), #153 (OPEN), #154 (MERGED), #162 (MERGED), #164 (MERGED). All match the claimed states.
• npm-audit claim accuracy: read .claude/session/npm-audit-2026-05-21.json — .metadata.vulnerabilities returns exactly {critical: 0, high: 0, moderate: 2, low: 0, info: 0, total: 2}. Matches the doc's claim.
• Cross-repo Refs (not Closes): PR body uses Refs GOkasha/ecommerce-accountant-software#148 — correct; me2resh#148 stays open until me2resh#152 + me2resh#153 close.
• Ticket vocabulary: every #N in the PR body and the doc references a real existing GitHub Issue or PR in either GOkasha/apexyard or GOkasha/ecommerce-accountant-software. No fabricated tracker notation.

Issues Found

None blocking.

Suggestions

advisory — None on this PR; the documentation pattern (preserve historical snapshot, prepend status update) is the right shape and matches the precedent set in PR #4. No need to mutate the doc further until the next dep-audit cycle, which (as the PR correctly notes) should produce a new dep-audit-YYYY-MM-DD.md alongside this one.

nit — In the "Remaining open work" table, L1/L2/L4 are listed as "Open — not ticketed" with [Chore] filing suggestions. Worth filing those three as actual [Chore] tickets against the app repo (and L4 against the ops fork) at some point so they don't drift into the next audit cycle as "still open — still not ticketed." Not a blocker — the doc surfaces them, which is the point.

Framework follow-up (advisory, NOT a blocker on this PR)

The PR description notes the commit was created via VS Code terminal rather than the Bash tool because the framework's validate-commit-format.sh PreToolUse hook on this Windows fork has a CRLF (\r) issue parsing the type-whitelist, which makes docs(GH-148): (and any other valid type(scope): form) unmatchable. The resulting commit on origin conforms to git-conventions.md perfectly fine — this is a framework defect, not a PR defect.

Suggest filing a separate [Bug] ticket against GOkasha/apexyard capturing:

• Repro: invoke Bash tool with git commit -m "docs(GH-148): refresh dep-audit status block after re-run" on the Windows fork
• Expected: hook passes (commit type docs is on the whitelist)
• Actual: hook blocks because the whitelist read from disk contains trailing \r from CRLF line endings, so the regex match ^(feat|fix|docs|...)\( fails
• Fix shape: strip \r from the whitelist after reading (typical one-line sed 's/\r$//' or use dos2unix-style normalisation in _lib-*), or invoke the matcher with normalised input

This belongs as its own ticket, not as a change request on this PR.

Verdict

APPROVED

The PR is exactly what it says on the tin: a verified status refresh of the 2026-05-20 dep audit, with cross-references that all resolve, accurate npm-audit numbers, the right documentation pattern (prepend-not-rewrite), correct deferral of the postcss disposition decision to me2resh#152, and full conformance to PR-quality and git-conventions rules. Ready to merge after the per-PR CEO approval (/approve-merge 5).

---

🤖 Reviewed by Rex (Code Reviewer Agent)
📌 Reviewed commit: e80b1de06325caf743a88f8e398057b0fb714568