From e6eea29561faa049a20e8f134aa7e557ba6ff1ee Mon Sep 17 00:00:00 2001
From: Hugh Hackman <hugh@privilegedescalation.dev>
Date: Wed, 15 Apr 2026 03:19:17 +0000
Subject: [PATCH] fix(plugin-ci): run pnpm audit for pnpm repos

pnpm audit is available in pnpm v10+. The previous implementation
skipped the security audit for pnpm repos due to a retired endpoint,
which blocks all plugin releases that use pnpm.
---
 .github/workflows/plugin-ci.yaml | 5 +----
 1 file changed, 1 insertion(+), 4 deletions(-)

diff --git a/.github/workflows/plugin-ci.yaml b/.github/workflows/plugin-ci.yaml
index 7eda972..4512b15 100644
--- a/.github/workflows/plugin-ci.yaml
+++ b/.github/workflows/plugin-ci.yaml
@@ -158,11 +158,8 @@ jobs:
 
       - name: Security audit
         run: |
-          # pnpm audit endpoint retired (HTTP 410). Use npm audit instead.
-          # pnpm projects lack package-lock.json so we generate one first.
-          # --no-audit skips the implicit audit during install (we run it explicitly after).
           if [ "${{ steps.pkg-manager.outputs.manager }}" = "pnpm" ]; then
-            echo "Skipping npm audit for pnpm repo (pnpm audit endpoint retired HTTP 410; lockfile generation fails with corepack)"
+            pnpm audit --audit-level=high
           else
             npm audit --omit=dev
           fi