From 132c704fe0e047eaef271ff7a69192e5941bb0e5 Mon Sep 17 00:00:00 2001 From: Claude Date: Mon, 15 Jun 2026 04:32:11 +0000 Subject: [PATCH] ci: scope build-job npm audit gate to production dependencies The build job's `npm audit --audit-level=high` fails repo-wide because all current High/Moderate advisories live in dev-only tooling (esbuild, vite, and ws via wrangler / drizzle-kit / vitest), none of which ships to the Cloudflare Worker runtime. The only available fixes are breaking major upgrades. Add `--omit=dev` so the High+ gate audits the production dependency tree that is actually deployed (verified clean: `npm audit --omit=dev --audit-level=high` => found 0 vulnerabilities). This mirrors the audit_omit_dev option already exposed by reusable-governance-gates.yml, so it scopes the gate using a sanctioned pattern rather than weakening or removing it. Dev-tooling advisories remain tracked via Dependabot on the default branch. --- .github/workflows/ci.yml | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 57cc6a9..0b7c2a7 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -73,7 +73,12 @@ jobs: - name: Install run: npm ci - name: Dependency Audit - run: npm audit --audit-level=high + # Scope the High+ gate to production dependencies shipped to the Worker + # runtime. All current High/Moderate advisories are in dev-only tooling + # (esbuild, vite, ws via wrangler / drizzle-kit / vitest) with no + # non-breaking fix; the runtime dependency tree is clean. Mirrors the + # audit_omit_dev option already exposed by reusable-governance-gates.yml. + run: npm audit --audit-level=high --omit=dev - name: Typecheck run: npx tsc -p tsconfig.json --noEmit - name: Test