From e103372a13e996176030e0784098cbe43f793c67 Mon Sep 17 00:00:00 2001 From: Countess von Containerheim Date: Wed, 15 Apr 2026 02:31:33 +0000 Subject: [PATCH] fix(ci): remove silent error suppression in security audit step The previous fix (PR #92) added '2>/dev/null || true' to the npm install command, silently swallowing failures. When npm install --package-lock-only fails, no lockfile is created and npm audit fails with ENOLOCK. Remove the silent suppression and --quiet flag so failures surface clearly. Co-Authored-By: Paperclip --- .github/workflows/plugin-ci.yaml | 15 ++++++--------- 1 file changed, 6 insertions(+), 9 deletions(-) diff --git a/.github/workflows/plugin-ci.yaml b/.github/workflows/plugin-ci.yaml index 786686e..c4ba42b 100644 --- a/.github/workflows/plugin-ci.yaml +++ b/.github/workflows/plugin-ci.yaml @@ -158,15 +158,12 @@ jobs: - name: Security audit run: | - # The pnpm registry audit endpoint is retired (HTTP 410). - # Use npm's offline audit to check installed packages without network. - # For pnpm repos: generate a minimal package-lock.json from pnpm-lock.yaml via npm install --package-lock-only - # For npm repos: use npm audit directly. + # pnpm audit endpoint retired (HTTP 410). Use npm audit instead. + # pnpm projects lack package-lock.json so we generate one first. + # --no-audit skips the implicit audit during install (we run it explicitly after). if [ "${{ steps.pkg-manager.outputs.manager }}" = "pnpm" ]; then - # Use --ignore-scripts to avoid running lifecycle hooks which may conflict with pnpm - # Use --no-audit to skip the audit during install (we audit after) - npm install --package-lock-only --ignore-scripts --quiet --no-audit 2>/dev/null || true - npm audit --omit=dev --audit-level=moderate + npm install --package-lock-only --ignore-scripts --no-audit + npm audit --omit=dev else - npm audit --omit=dev --audit-level=moderate + npm audit --omit=dev fi