Hahn-Solo Product Management

Basic Information

Status

Open

Priority

Now

Category

Security

Repo

Content SDK PM

Effort

Trivial

Task ID

T-99B64292

Details

Document Security Floor Policy

Create a `SECURITY.md` in the repo root that documents the minimum supported versions of Next.js and React for security purposes. Reference CVE-2025-55182, CVE-2026-23864, and CVE-2026-27979. Include a table mapping CVE to minimum safe version. Link this from the README and from `create-content-sdk-app` output.

Why

Content SDK consumers need a single authoritative source for security-relevant version floors. The current peer dependency range silently permits vulnerable combinations. A security policy prevents this from recurring.

Evidence

CVE-2025-55182 (CVSS 10.0), CVE-2026-23864 (CVSS 7.5), CVE-2026-27979 (CVSS 7.5); no existing SECURITY.md in repo

Details

Context: Content SDK currently has no `SECURITY.md` file. Three CVEs affecting the React/Next.js stack have been disclosed in the past 6 months, two of which are actively exploited. Content SDK's peer dependency ranges technically permit vulnerable versions. A security policy document provides a single authoritative reference for consumers to check minimum safe versions.

Steps:

1. Create `SECURITY.md` at repo root

2. Include: vulnerability reporting process, minimum supported framework versions for security, a table of relevant CVEs with affected and fixed versions

3. Reference this file from `README.md` and from `create-content-sdk-app` post-scaffold output

4. Add a CI check that warns if peer dependency floors fall below documented security minimums

Acceptance criteria:

`SECURITY.md` exists at repo root with CVE table and minimum version guidance

README links to SECURITY.md

`create-content-sdk-app` output mentions checking SECURITY.md

Risks: None identified.

Source Report

reports/product-management/content-sdk/2026-04-05-content-sdk-pm.md

Report date: Apr 5, 2026