Skip to content

fix(ci): lockfile sync, npm audit patches, and Trivy workflow update#12

Merged
DigitalBlueprint239 merged 3 commits into
mainfrom
fix/ci-lockfile-sync
May 3, 2026
Merged

fix(ci): lockfile sync, npm audit patches, and Trivy workflow update#12
DigitalBlueprint239 merged 3 commits into
mainfrom
fix/ci-lockfile-sync

Conversation

@DigitalBlueprint239
Copy link
Copy Markdown
Owner

@DigitalBlueprint239 DigitalBlueprint239 commented May 3, 2026
edited
Loading

Summary

Consolidated CI infrastructure fix that unblocks the merge gate on main.

1. Lockfile sync (resolves EUSAGE in npm ci)

Regenerated package-lock.json against the current package.json, including the @core-elite/* workspace packages and their React Native peer-dep tree.

2. npm audit patches (resolves 4 high-severity advisories)

Once the audit job could run against a complete dep tree, four high-severity advisories surfaced. Resolved via npm audit fix (no semver-major bumps required):

Audit state after fix: 0 high / 0 critical / 9 moderate — passes the CI high+ threshold.

3. Trivy workflow update (resolves action-resolution failure)

The Trivy filesystem scan was failing in 3 seconds at action-resolution time:

Unable to resolve action `aquasecurity/trivy-action@0.24.0`,
unable to find version `0.24.0`

Bumped to aquasecurity/trivy-action@a9c7b0f06e461e9d4b4d1711f154ee024b8d7ab8 # v0.36.0 — pinned by commit SHA for immutability against tag-repointing supply-chain attacks, with the version recorded inline as a comment.

Test plan

  • npm audit (high+) reports success
  • Trivy filesystem scan resolves the action and runs to completion
  • Vercel preview build succeeds
  • npm ci works in a clean clone

🤖 Generated with Claude Code

@DigitalBlueprint239 @claude
fix(ci): sync package-lock.json with workspace and native deps
43eda39 
Resolves EUSAGE in `npm ci` by regenerating the lockfile to match
package.json plus the @core-elite workspace packages (field-ops,
native-ble, powersync) and their React Native peer-dep tree.

Also resolves 4 high-severity advisories surfaced once `npm audit`
could run on a complete tree (npm audit fix, no semver-major bumps):
  - next 16.2.2 -> 16.2.4 (GHSA-q4gf-8mx6-v5v3, DoS)
  - rollup 4.58.0 -> 4.60.2 (GHSA-mw96-cpmx-2vgc, path traversal)
  - vite bumped within ^6.2.0 (GHSA-p9ff-h696-f583, dev-server file read)
  - picomatch transitive >=4.0.4 (GHSA-c2c7-rcm5-vvqj, ReDoS)

Audit state after fix: 0 high / 0 critical / 9 moderate (under the
CI high+ threshold).

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
@vercel
Copy link
Copy Markdown

vercel Bot commented May 3, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
core-elite Ready Ready Preview, Comment May 3, 2026 4:34pm

Request Review

@supabase
Copy link
Copy Markdown

supabase Bot commented May 3, 2026

This pull request has been ignored for the connected project iabyfawsaovoakzqxrde because there are no changes detected in supabase directory. You can change this behaviour in Project Integrations Settings ↗︎.

Preview Branches by Supabase.
Learn more about Supabase Branching ↗︎.

@DigitalBlueprint239 @claude
fix(ci): bump trivy-action to immutable SHA pin (v0.36.0)
199eb70 
The previous pin (aquasecurity/trivy-action@0.24.0) was no longer
resolvable from the GitHub Actions registry, causing the Trivy
filesystem scan to fail at action-resolution time before any scanning
could run.

Pinned to commit SHA a9c7b0f0... (tag v0.36.0) for immutability —
tag-only pins are vulnerable to tag-repointing in a supply-chain
attack on the action's repo, which matters more for security-critical
workflows than for build/test ones.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
@DigitalBlueprint239 DigitalBlueprint239 changed the title fix(ci): sync package-lock.json fix(ci): lockfile sync, npm audit patches, and Trivy workflow update May 3, 2026
@github-advanced-security
Copy link
Copy Markdown

github-advanced-security AI commented May 3, 2026

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

  • The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
  • Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
  • You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

@DigitalBlueprint239 @claude
fix(ci): trivy table output for visible findings
f7767d8 
GitHub Code Scanning is disabled on this repo, so the previous
`format: sarif` + `upload-sarif` flow silently no-op'd — Trivy
findings caused the gate to fail with no surface details, leaving
operators unable to remediate without modifying the workflow.

Switch to `format: table` so findings print directly into the CI
log. The HIGH/CRITICAL gate is unchanged (exit-code: 1 still
blocks merge). When Code Scanning gets enabled, swap back to
SARIF + upload-sarif.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
@DigitalBlueprint239 DigitalBlueprint239 merged commit 4a8634a into main May 3, 2026
5 checks passed
@DigitalBlueprint239 DigitalBlueprint239 deleted the fix/ci-lockfile-sync branch May 3, 2026 20:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@DigitalBlueprint239 @github-advanced-security