security: wire yarn audit into CI as a failing gate #191
Labels
No labels
bug
documentation
duplicate
e-copy
e-features
e-mobile
enhancement
f-coverage
f-forensic
f-perf
f-privacy
forensic
good first issue
help wanted
infra
invalid
phase-a
phase-b
phase-c
phase-d
phase-e
phase-f
phase-g
phase-h
priority-1
priority-2
priority-3
privacy
question
v5
v6
video-hardening
wontfix
No milestone
No project
No assignees
1 participant
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference: forgejo_admin/exifcleaner-web#191
Loading…
Add table
Reference in a new issue
No description provided.
Delete branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Problem
The CI pipeline (
ci.yml) runs lint, typecheck, vitest, and e2e but has no automated dependency vulnerability scanning. New CVEs against production dependencies (react,pdf-lib,jszip,@ffmpeg/core,@uswriting/exiftool) would not be caught until a developer manually runsyarn audit.Identified in the 2026-05-22 security audit (score 4/8 on Domain 7 — Dependencies & Supply Chain). Remediation plan item #2.
Proposed fix
Add a
yarn audit --level highstep to thetestjob in.github/workflows/ci.ymlso any high or critical advisory in the dependency tree fails the build:This covers both production and dev dependencies. The current
yarn auditoutput shows 2 critical and 21 high findings (all in devDeps — see issue #XXX for the upgrade work), so this gate should land after those are resolved, or the step should be scoped to production deps only (--groups dependencies).Alternatives
osv-scannerortrivy fs .as a CI step for broader CVE coverage beyond the npm advisory database