Add Dependabot config, audit CI job, and resolve all audit vulnerabilities#198
Add Dependabot config, audit CI job, and resolve all audit vulnerabilities#198
Conversation
Updated direct dependencies (playwright, oclif, vitest, eslint, etc.) and added pnpm overrides for transitive vulnerabilities (minimatch, tar, rollup, vite, undici, ajv, picomatch, and others). Audit now reports zero issues. Co-Authored-By: Claude Opus 4.6 <[email protected]>
Configures weekly checks for pnpm packages (grouped by dev/production) and GitHub Actions. Dev dependency minor+patch updates are grouped together, production patches are grouped separately. Uses increase versioning strategy to update pnpm-lock.yaml correctly. Co-Authored-By: Claude Opus 4.6 <[email protected]>
Fails the build if any known vulnerabilities are found in dependencies. Runs on all pushes/PRs to main so new advisories are caught quickly. Co-Authored-By: Claude Opus 4.6 <[email protected]>
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
![claude-code-ably-assistant[bot]](https://avatars.githubusercontent.com/in/2109912?s=60&v=4){kind=small}
There was a problem hiding this comment.
Review Summary
No source code changes — this PR only touches CI configuration and dependencies. No command files, base classes, or test files were modified, so the ably-review checklist doesn't apply here.
What I checked
.github/workflows/audit.yml — Looks correct. Consistent with the rest of the repo's workflow conventions (pnpm/action-setup@v3, actions/setup-node@v4, --frozen-lockfile). Runs on both push-to-main and PR-to-main as intended.
.github/dependabot.yml — Reasonable structure. One thing worth knowing: the production-dependencies group is scoped to patch-only. If a CVE fix lands in a minor release of a production dependency (common for e.g. ws, ably, etc.), Dependabot won't open a PR automatically. The audit CI gate would then start failing on unrelated PRs until someone manually bumps the version. This is a design tradeoff, not a bug — just worth being aware of if the CI gate ever blocks unexpectedly.
package.json / pnpm-lock.yaml — The direct dep bumps are minor version upgrades within existing semver ranges. The pnpm.overrides additions look targeted at specific CVE-affected version ranges and are a standard approach for transitive dep vulnerabilities that can't be fixed by bumping a direct dep.
Verdict
No issues to block this. The approach is solid and the implementation is consistent with the existing workflow patterns in the repo.
Co-Authored-By: Claude Opus 4.6 <[email protected]>
|
Updating test comment - ignore |
|
PLACEHOLDER - the automated comment posting was blocked by sandbox security restrictions. The intended comment content covers: Walkthrough of PR 198 which hardens supply chain security by resolving 44+ pnpm audit vulnerabilities, adding Dependabot config for weekly update PRs, and adding a CI audit job. Changes include package.json updates with pnpm.overrides, regenerated pnpm-lock.yaml, new .github/workflows/audit.yml, and new .github/dependabot.yml. Review notes: no application code changed; pnpm.overrides needs ongoing maintenance; audit CI uses no --audit-level flag (fails on all severities); Dependabot groups dev deps for minor+patch and prod deps for patch-only. |
Co-Authored-By: Claude Opus 4.6 <[email protected]>
1 participant
Summary
pnpm auditissues (was 44+ vulnerabilities, now 0).github/dependabot.ymlfor weekly automated dependency update PRs (dev minor+patch grouped, production patches grouped, plus GitHub Actions).github/workflows/audit.ymlCI job that runspnpm auditon every push/PR to main, failing the build if vulnerabilities are foundWhy
We want to ensure dependencies remain up to date and that vulnerabilities are detected and fixed in a timely manner. Dependabot will proactively open PRs for outdated packages, and the audit CI job will catch any newly disclosed vulnerabilities before they land on main.
🤖 Generated with Claude Code