Problem
No security advisory check runs in CI. Known-vulnerable npm packages can be introduced via a dependency update PR or a direct package.json edit without any automated signal.
Fix
Add an audit step to .github/workflows/pr.yaml:
- name: Audit dependencies
run: pnpm audit --audit-level=high
--audit-level=high fails the build only on HIGH or CRITICAL severity advisories, avoiding noise from low-severity items. Adjust the threshold as needed.
Note: once Dependabot is configured (see separate issue), GitHub's built-in Dependabot Security Alerts also provide advisory coverage for public repos at no extra cost.
References
Identified during linting/CI audit — see advisory session 2026-05-16.
Problem
No security advisory check runs in CI. Known-vulnerable npm packages can be introduced via a dependency update PR or a direct
package.jsonedit without any automated signal.Fix
Add an audit step to
.github/workflows/pr.yaml:--audit-level=highfails the build only on HIGH or CRITICAL severity advisories, avoiding noise from low-severity items. Adjust the threshold as needed.Note: once Dependabot is configured (see separate issue), GitHub's built-in Dependabot Security Alerts also provide advisory coverage for public repos at no extra cost.
References
Identified during linting/CI audit — see advisory session 2026-05-16.