fix(ci): generate npm lockfile before running npm audit

pnpm projects use pnpm-lock.yaml, not package-lock.json. The previous fix switched from pnpm audit to npm audit but npm audit requires an existing lockfile. Generate one first with npm install --package-lock-only. Co-Authored-By: Paperclip <noreply@paperclip.ing>
2026-04-15 01:34:37 +00:00
parent aadb9e483c
commit 3b7d582d5e
1 changed files with 3 additions and 2 deletions
@@ -169,6 +169,7 @@ jobs:

      - name: Security audit
        run: |
-          # npm retired the audit endpoint pnpm uses. Use npm's audit for both
-          # package managers to avoid 410 errors.
+          # npm retired the pnpm audit endpoint (410). Use npm audit instead.
+          # pnpm projects don't have package-lock.json, so generate one first.
+          npm install --package-lock-only --ignore-scripts --quiet
          npm audit --omit=dev