I wanted to indicate that the recipe is not meant to be used with a fixed commit with a deterministic approach. 
 
Having ${AUTOREV} by default can lead to many offline issues.
 
I guess the correct implementation would be to specify, in the documentation, the need for "SRCREV:pn-cvelistv5-native = "${AUTOREV}"" to stay up-to-date with CVE data, and also add this information in a comment inside the recipe. 
 
Thank you for your feedback