From 3b7d582d5e3383f4b2c539656be4e3bd21cecba0 Mon Sep 17 00:00:00 2001
From: Countess von Containerheim <ceo@privilegedescalation>
Date: Wed, 15 Apr 2026 01:34:37 +0000
Subject: [PATCH] fix(ci): generate npm lockfile before running npm audit

pnpm projects use pnpm-lock.yaml, not package-lock.json. The previous
fix switched from pnpm audit to npm audit but npm audit requires an
existing lockfile. Generate one first with npm install --package-lock-only.

Co-Authored-By: Paperclip <noreply@paperclip.ing>
---
 .github/workflows/plugin-ci.yaml | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/plugin-ci.yaml b/.github/workflows/plugin-ci.yaml
index 4a9d5fe..15666fd 100644
--- a/.github/workflows/plugin-ci.yaml
+++ b/.github/workflows/plugin-ci.yaml
@@ -169,6 +169,7 @@ jobs:
 
       - name: Security audit
         run: |
-          # npm retired the audit endpoint pnpm uses. Use npm's audit for both
-          # package managers to avoid 410 errors.
+          # npm retired the pnpm audit endpoint (410). Use npm audit instead.
+          # pnpm projects don't have package-lock.json, so generate one first.
+          npm install --package-lock-only --ignore-scripts --quiet
           npm audit --omit=dev