pezkuwichain/pwap
1
0
Fork 0
mirror of https://github.com/pezkuwichain/pwap.git synced 2026-06-13 15:51:02 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(ci): audit only production deps in the deploy gate (--omit=dev) (#18)

Browse Source 
The security-audit gate ran 'npm audit --audit-level=high' over all deps,
so newly-published advisories on build-only tooling (esbuild, elliptic via
vite-plugin-node-polyfills, etc.) repeatedly blocked production deploys
even though that code ships to no user. Scope the gate to production
dependencies with --omit=dev. Verified: 'npm audit --audit-level=high
--omit=dev' → 0 vulnerabilities. TruffleHog secret scanning is unchanged.
This commit is contained in:
SatoshiQaziMuhammed
2026-06-12 23:39:55 -07:00
committed by GitHub
parent 78e93e9766
commit 2ee3caac0d
1 changed files with 5 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.github/workflows/quality-gate.yml
+5 -2
View File
@@ -628,11 +628,14 @@ jobs:
with: with:
node-version: '20' node-version: '20'
- name: Web — npm audit (high + critical) - name: Web — npm audit (high + critical, production deps only)
working-directory: ./web working-directory: ./web
run: | run: |
npm install npm install
npm audit --audit-level=high # Audit only production dependencies. Build tooling (vite, esbuild,
# vite-plugin-node-polyfills → elliptic, etc.) ships to no user, and
# advisories on those dev deps kept blocking production deploys.
npm audit --audit-level=high --omit=dev
- name: TruffleHog — PR diff (verified secrets only) - name: TruffleHog — PR diff (verified secrets only)
if: github.event_name == 'pull_request' if: github.event_name == 'pull_request'