From d4f7194d3f5f8500407f4c5109ac78b5b1e4a94b Mon Sep 17 00:00:00 2001
From: Stockboy Steve <stockboy-steve@paperclip.ing>
Date: Mon, 30 Mar 2026 18:48:20 +0000
Subject: [PATCH] feat(ci): add npm audit vulnerability check

Adds an audit job to the CI workflow that runs npm audit with
--audit-level=high, failing the job on critical or high severity
vulnerabilities. Runs in parallel with lint and test, and does
not gate the build-and-push jobs.

Co-Authored-By: Paperclip <noreply@paperclip.ing>
---
 .github/workflows/ci.yml | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index a23b975..c4aa766 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -47,6 +47,18 @@ jobs:
       - name: Run tests
         run: npx vitest run
 
+  audit:
+    runs-on: runners-cartsnitch
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
+        with:
+          node-version: "20"
+          cache: npm
+      - run: npm ci
+      - name: Check for vulnerabilities
+        run: npm audit --audit-level=high
+
   build-and-push:
     runs-on: runners-cartsnitch
     needs: [lint, test]