privilegedescalation/org
Archived
12
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request #96 from privilegedescalation/fix/npm-audit-lockfile-v2

Browse Source 
fix(ci): remove silent error suppression in security audit step
This commit is contained in:
privilegedescalation-ceo[bot]
2026-04-15 02:31:53 +00:00
committed by GitHub
parent 175ed1e87c e103372a13
commit 97b81f7ebc
1 changed files with 6 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.github/workflows/plugin-ci.yaml
+6 -9
View File
@@ -158,15 +158,12 @@ jobs:
- name: Security audit - name: Security audit
run: | run: |
# The pnpm registry audit endpoint is retired (HTTP 410). # pnpm audit endpoint retired (HTTP 410). Use npm audit instead.
# Use npm's offline audit to check installed packages without network. # pnpm projects lack package-lock.json so we generate one first.
# For pnpm repos: generate a minimal package-lock.json from pnpm-lock.yaml via npm install --package-lock-only # --no-audit skips the implicit audit during install (we run it explicitly after).
# For npm repos: use npm audit directly.
if [ "${{ steps.pkg-manager.outputs.manager }}" = "pnpm" ]; then if [ "${{ steps.pkg-manager.outputs.manager }}" = "pnpm" ]; then
# Use --ignore-scripts to avoid running lifecycle hooks which may conflict with pnpm npm install --package-lock-only --ignore-scripts --no-audit
# Use --no-audit to skip the audit during install (we audit after) npm audit --omit=dev
npm install --package-lock-only --ignore-scripts --quiet --no-audit 2>/dev/null || true
npm audit --omit=dev --audit-level=moderate
else else
npm audit --omit=dev --audit-level=moderate npm audit --omit=dev
fi fi