Arrai v0.336.0 Release Fixes Critical lodash CVE, Exposes 22 Remaining Security Advisories

The release of Arrai v0.336.0 patches a critical code-injection vulnerability in the project's documentation dependency tree, but the broader security audit reveals a deeper, unresolved risk. The update specifically addresses the lodash vulnerability identified as GHSA-r5fr-rjxr-66jc. Crucially, this fix only impacts build-time dependencies for documentation; the core `arrai` binary runtime remains unaffected. Alongside the security patch, the release formalizes infrastructure by committing a `targets.yaml` file as the source of truth and introduces a new `docs/audit-log.md` to track release activities, starting with this one.

Despite this targeted fix, the project's security posture remains under significant pressure. The release notes explicitly defer a major known issue: 22 other `npm audit` advisories are still active within the transitive dependency tree of Docusaurus 3.9.2, the framework powering the documentation. These unresolved vulnerabilities span several packages, including `serialize-javascript`, `picomatch`, `brace-expansion`, and `path-to-regexp`. The project's own tracking system, 🎯T5, lists "docs npm audit clean" as the sole active target, highlighting the ongoing scrutiny on this non-runtime but critical component.

The situation underscores a common but high-stakes tension in software maintenance: securing the supply chain, even for ancillary tooling. While the runtime application is shielded, the build and documentation pipeline represents a potential attack vector that could compromise development integrity or lead to supply chain attacks. The introduction of a formal audit log suggests a move toward greater transparency and accountability in the release process, a necessary step when publicly acknowledging a backlog of known vulnerabilities. The focus now shifts to whether the team can systematically address the two dozen remaining advisories before they are exploited.