From 8f85273a15f5897fb0c0678be8dd6ab3e85d697b Mon Sep 17 00:00:00 2001
From: TaprootFreak <142087526+TaprootFreak@users.noreply.github.com>
Date: Thu, 15 Jan 2026 18:06:02 +0100
Subject: [PATCH] fix(ci): only report critical security vulnerabilities in PR
 comments (#2953)

High-severity npm audit findings (currently 61) are mostly false positives
or transitive dependencies that cannot be easily fixed. Adjust the PR
review bot to only comment when critical vulnerabilities are found.
---
 .github/workflows/pr-review-bot.yml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/pr-review-bot.yml b/.github/workflows/pr-review-bot.yml
index 67ef5d4237..f736859b79 100644
--- a/.github/workflows/pr-review-bot.yml
+++ b/.github/workflows/pr-review-bot.yml
@@ -199,9 +199,9 @@ jobs:
               comments.push(`## ❌ TypeScript: ${tscErrors} errors`);
             }
 
-            // Security audit
-            if (auditCritical > 0 || auditHigh > 0) {
-              comments.push(`## ${auditCritical > 0 ? '❌' : '⚠️'} Security: ${auditCritical} critical, ${auditHigh} high vulnerabilities`);
+            // Security audit (only report critical vulnerabilities)
+            if (auditCritical > 0) {
+              comments.push(`## ❌ Security: ${auditCritical} critical vulnerabilities`);
             }
 
             // New TODOs