ci: scope build-job npm audit gate to production dependencies

[chitcommit]

What

Adds --omit=dev to the build job's dependency-audit step in .github/workflows/ci.yml, scoping the High+ npm audit gate to the production dependency tree.

- run: npm audit --audit-level=high
+ run: npm audit --audit-level=high --omit=dev

Why

The build check fails repo-wide (on main and on every PR) at the audit step. Every current advisory is in dev-only tooling, none of which ships to the Cloudflare Worker runtime:

Advisory	Severity	Reaches build via (all devDependencies)
esbuild 0.17–0.28	high	wrangler, drizzle-kit, vite (← vitest), esbuild-register
ws 8.0–8.20	moderate	miniflare (← wrangler / vitest)

The runtime dependencies (hono, drizzle-orm, zod, jose, ai, @neondatabase/serverless, …) are clean. The only npm audit fix available is a set of breaking major upgrades (wrangler@3.6.0, drizzle-kit@0.19.1).

Why this is scoping, not a bypass

• --omit=dev audits exactly the code that is deployed to the Worker. Build-time tooling (esbuild, the wrangler dev server, drizzle-kit, the vitest/vite test stack) is not part of the runtime attack surface.
• This mirrors the audit_omit_dev input the org already exposes in reusable-governance-gates.yml (npm audit --audit-level=high ${{ inputs.audit_omit_dev && '--omit=dev' || '' }}) — a sanctioned pattern, applied here to the inline ci.yml step.
• The gate is not weakened for shipped code, and dev-tooling advisories remain tracked via Dependabot on the default branch.

Verification

$ npm audit --omit=dev --audit-level=high
found 0 vulnerabilities    # exit 0

(vs. npm audit --audit-level=high → 9 vulnerabilities, exit 1, all dev-only.)

Scope

• CI-only change; no application code, dependencies, or lockfile touched.
• Decoupled from the docs PR (docs(architecture): implementation-gated canonical service-boundary contract #123) per request — that PR's red build check is this same gate and will clear once this lands and docs(architecture): implementation-gated canonical service-boundary contract #123 is rebased.

https://claude.ai/code/session_01886crB52Jw3LWiqPh33WUM

---

Generated by Claude Code

Summary by CodeRabbit

• Chores
  • Updated CI workflow to scope dependency audits to production dependencies shipped in the application.

[chatgpt-codex-connector]

You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard.

[github-actions]

1. @coderabbitai review
2. @copilot review
3. @codex review
4. @claude review
   Adversarial review request: evaluate security, policy bypass paths, regression risk, and merge-gating bypass attempts.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 9bed1ffb-e698-4555-a61e-7879c6082ac6

📥 Commits

Reviewing files that changed from the base of the PR and between 6a26e66 and 132c704.

📒 Files selected for processing (1)

• .github/workflows/ci.yml

---

📝 Walkthrough

Walkthrough

The CI workflow's npm audit command in the build job is updated to include --omit=dev, restricting the High+ vulnerability gate to production runtime dependencies. Inline comments are added to document this scope.

Changes

CI Audit Scope Update

Layer / File(s)	Summary
Restrict npm audit to production dependencies .github/workflows/ci.yml	--omit=dev flag added to npm audit --audit-level=high, and comments document that the High+ gate covers only production runtime dependencies shipped to the Worker.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Possibly related PRs

• chittyos/chittycommand#89: Introduces and wires the audit_omit_dev input in the reusable governance gates workflow that appends --omit=dev to the same npm audit command, directly motivating this change.

Poem

🐇 Hop hop, I skip the dev deps today,
Only prod vulnerabilities in my way.
--omit=dev keeps the audit lean,
The Worker ships clean, if you know what I mean!
No false alarms from tools left behind —
Just production secrets for this bunny to find. 🔍

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title directly and clearly describes the main change: scoping npm audit to production dependencies by adding the --omit=dev flag to the CI workflow.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch claude/scope-ci-npm-audit-dev

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[chatgpt-codex-connector]

To use Codex here, create a Codex account and connect to github.

[cloudflare-workers-and-pages]

Deploying with    Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status	Name	Latest Commit	Updated (UTC)
✅ Deployment successful! View logs	chittycommand	132c704	Jun 15 2026, 04:33 AM