Commit b59ed4c
chore(ci): npm audit gate on production deps + engines.node pin (#99)
Two small package-quality improvements:
1. **`npm run audit`** runs `npm audit --audit-level=high --omit=dev`,
gating the build on any high-or-critical advisory affecting
production dependencies. Dev tools (eslint, vitest, supertest) are
excluded so a fast-moving advisory there doesn't block shipping;
the production path is what we care about for deployment risk.
GH Actions + Woodpecker both run the new step between lint and
the test matrix.
2. **`engines.node`** in package.json pins the minimum supported
Node version (>=20.0.0). Matches the CI matrix and the Docker
base image. Older Node will see an npm WARN at install time
rather than mysterious runtime failures.
Current state: 0 vulnerabilities. The new step locks in that
baseline; any future dependency drift triggers a CI failure
operators can investigate before the bad version reaches prod.
Tests: full suite 479 pass / 4 skip — unchanged.
Co-authored-by: Aaron K. Clark <akclark@thenetwerk.net>
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>1 parent 3003838 commit b59ed4c
3 files changed
Lines changed: 8 additions & 0 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
72 | 72 | | |
73 | 73 | | |
74 | 74 | | |
| 75 | + | |
| 76 | + | |
75 | 77 | | |
76 | 78 | | |
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
36 | 36 | | |
37 | 37 | | |
38 | 38 | | |
| 39 | + | |
39 | 40 | | |
40 | 41 | | |
41 | 42 | | |
| |||
61 | 62 | | |
62 | 63 | | |
63 | 64 | | |
| 65 | + | |
64 | 66 | | |
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
15 | 15 | | |
16 | 16 | | |
17 | 17 | | |
| 18 | + | |
18 | 19 | | |
19 | 20 | | |
20 | 21 | | |
21 | 22 | | |
22 | 23 | | |
| 24 | + | |
| 25 | + | |
| 26 | + | |
23 | 27 | | |
24 | 28 | | |
25 | 29 | | |
| |||
0 commit comments