Skip to content

ci: add pnpm audit step to PR workflow #199

Description

@AleF83

Problem

No security advisory check runs in CI. Known-vulnerable npm packages can be introduced via a dependency update PR or a direct package.json edit without any automated signal.

Fix

Add an audit step to .github/workflows/pr.yaml:

- name: Audit dependencies
  run: pnpm audit --audit-level=high

--audit-level=high fails the build only on HIGH or CRITICAL severity advisories, avoiding noise from low-severity items. Adjust the threshold as needed.

Note: once Dependabot is configured (see separate issue), GitHub's built-in Dependabot Security Alerts also provide advisory coverage for public repos at no extra cost.

References

Identified during linting/CI audit — see advisory session 2026-05-16.

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or request

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions