security: wire yarn audit into CI as a failing gate #191

Closed
opened 2026-05-22 17:53:54 +00:00 by forgejo_admin · 0 comments

Problem

The CI pipeline (ci.yml) runs lint, typecheck, vitest, and e2e but has no automated dependency vulnerability scanning. New CVEs against production dependencies (react, pdf-lib, jszip, @ffmpeg/core, @uswriting/exiftool) would not be caught until a developer manually runs yarn audit.

Identified in the 2026-05-22 security audit (score 4/8 on Domain 7 — Dependencies & Supply Chain). Remediation plan item #2.

Proposed fix

Add a yarn audit --level high step to the test job in .github/workflows/ci.yml so any high or critical advisory in the dependency tree fails the build:

- name: Dependency audit
  run: yarn audit --level high

This covers both production and dev dependencies. The current yarn audit output shows 2 critical and 21 high findings (all in devDeps — see issue #XXX for the upgrade work), so this gate should land after those are resolved, or the step should be scoped to production deps only (--groups dependencies).

Alternatives

  • Enable Forgejo/GitHub Dependabot security alerts (repo settings → Security tab)
  • Add osv-scanner or trivy fs . as a CI step for broader CVE coverage beyond the npm advisory database
## Problem The CI pipeline (`ci.yml`) runs lint, typecheck, vitest, and e2e but has no automated dependency vulnerability scanning. New CVEs against production dependencies (`react`, `pdf-lib`, `jszip`, `@ffmpeg/core`, `@uswriting/exiftool`) would not be caught until a developer manually runs `yarn audit`. Identified in the 2026-05-22 security audit (score 4/8 on Domain 7 — Dependencies & Supply Chain). Remediation plan item #2. ## Proposed fix Add a `yarn audit --level high` step to the `test` job in `.github/workflows/ci.yml` so any high or critical advisory in the dependency tree fails the build: ```yaml - name: Dependency audit run: yarn audit --level high ``` This covers both production and dev dependencies. The current `yarn audit` output shows 2 critical and 21 high findings (all in devDeps — see issue #XXX for the upgrade work), so this gate should land **after** those are resolved, or the step should be scoped to production deps only (`--groups dependencies`). ## Alternatives - Enable Forgejo/GitHub Dependabot security alerts (repo settings → Security tab) - Add `osv-scanner` or `trivy fs .` as a CI step for broader CVE coverage beyond the npm advisory database
Sign in to join this conversation.
No milestone
No project
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: forgejo_admin/exifcleaner-web#191
No description provided.