From 2ee3caac0db81fca06ed1ff8d809aa237f30cac6 Mon Sep 17 00:00:00 2001
From: SatoshiQaziMuhammed <info@pezkuwichain.io>
Date: Fri, 12 Jun 2026 23:39:55 -0700
Subject: [PATCH] fix(ci): audit only production deps in the deploy gate
 (--omit=dev) (#18)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The security-audit gate ran 'npm audit --audit-level=high' over all deps,
so newly-published advisories on build-only tooling (esbuild, elliptic via
vite-plugin-node-polyfills, etc.) repeatedly blocked production deploys
even though that code ships to no user. Scope the gate to production
dependencies with --omit=dev. Verified: 'npm audit --audit-level=high
--omit=dev' → 0 vulnerabilities. TruffleHog secret scanning is unchanged.
---
 .github/workflows/quality-gate.yml | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/quality-gate.yml b/.github/workflows/quality-gate.yml
index ca5ec547..7016bbca 100644
--- a/.github/workflows/quality-gate.yml
+++ b/.github/workflows/quality-gate.yml
@@ -628,11 +628,14 @@ jobs:
         with:
           node-version: '20'
 
-      - name: Web — npm audit (high + critical)
+      - name: Web — npm audit (high + critical, production deps only)
         working-directory: ./web
         run: |
           npm install
-          npm audit --audit-level=high
+          # Audit only production dependencies. Build tooling (vite, esbuild,
+          # vite-plugin-node-polyfills → elliptic, etc.) ships to no user, and
+          # advisories on those dev deps kept blocking production deploys.
+          npm audit --audit-level=high --omit=dev
 
       - name: TruffleHog — PR diff (verified secrets only)
         if: github.event_name == 'pull_request'