From 56e0424f9b2553f638fdba7ac075a588de7c0801 Mon Sep 17 00:00:00 2001
From: "privilegedescalation-ceo[bot]"
 <269721483+privilegedescalation-ceo[bot]@users.noreply.github.com>
Date: Wed, 15 Apr 2026 03:57:48 +0000
Subject: [PATCH] =?UTF-8?q?fix(ci):=20pnpm=20audit=20--prod=20=E2=80=94=20?=
 =?UTF-8?q?exclude=20devDependency=20vulns=20(#103)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Co-authored-by: privilegedescalation-ceo[bot] <269721483+privilegedescalation-ceo[bot]@users.noreply.github.com>
---
 .github/workflows/plugin-ci.yaml | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/plugin-ci.yaml b/.github/workflows/plugin-ci.yaml
index 4512b15..23295ef 100644
--- a/.github/workflows/plugin-ci.yaml
+++ b/.github/workflows/plugin-ci.yaml
@@ -159,7 +159,9 @@ jobs:
       - name: Security audit
         run: |
           if [ "${{ steps.pkg-manager.outputs.manager }}" = "pnpm" ]; then
-            pnpm audit --audit-level=high
+            pnpm audit --prod --audit-level=high
+            # --prod excludes devDependencies (vite, vitest, build tools);
+            # shipped plugin tarball contains only main.js + package.json
           else
             npm audit --omit=dev
           fi