Skip to content

chore: remediate baseline audit gate#13

Open
bntvllnt wants to merge 1 commit into
mainfrom
chore/baseline-audit-gate
Open

chore: remediate baseline audit gate#13
bntvllnt wants to merge 1 commit into
mainfrom
chore/baseline-audit-gate

Conversation

@bntvllnt

Copy link
Copy Markdown
Contributor

Summary

  • Remediates baseline high/critical pnpm audit findings from origin/main with targeted dependency upgrades and overrides.
  • Adds pnpm run audit:high-critical, which parses pnpm audit --json metadata and fails CI only when high or critical counts are nonzero.
  • Updates the CI Audit job to use the metadata-based gate, leaving low/moderate advisories visible without normalizing broad ignores.

Audit policy / residual advisories

  • Before remediation, the baseline audit reported: low=6, moderate=19, high=15, critical=1.
  • After remediation, pnpm run audit:high-critical reports: low=1, moderate=4, high=0, critical=0.
  • The known low workspace-path cli advisory (GHSA-6cpc-mj5c-m9rq) remains visible but is non-blocking under the baseline high/critical policy.
  • Remaining moderate advisories are also surfaced in the audit summary and are not ignored; they are outside this narrow high/critical gate remediation.

Validation

  • pnpm install --frozen-lockfile
  • pnpm run audit:high-critical -> low=1, moderate=4, high=0, critical=0
  • pnpm run lint
  • pnpm run build
  • pnpm -F create-vllnt-app typecheck
  • pnpm test -- --project unit --reporter=verbose -> 6 files, 82 tests passed
  • pnpm -F www test:e2e:install
  • pnpm -F www test:e2e -> 4 tests passed
  • git diff --check

Notes

  • This PR is intentionally separate from fix: neutralize scaffold presets and agent aliases #12 and does not modify fix/oss-neutral-template-cleanup.
  • Root Node engine is tightened to >=22.12 to match the resolved Vite 8 engine requirement.
  • Non-fatal existing warnings observed locally: Next.js middleware convention deprecation, Playwright OS fallback, and next start standalone warning during e2e web server startup.

@bntvllnt bntvllnt left a comment

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Review — 0 findings (0 blocking, 0 warn)

BLOCKING

None.

WARN

None.

VERIFIED CLEAN

  • Reviewed current head e9d3b55e75643d0b918ffc6d277ccc5809b7c7f7 against base main; PR is open, non-draft, mergeable, and the live check suite is green.
  • Reviewed every changed file: .github/workflows/ci.yml, package.json, pnpm-lock.yaml, scripts/audit-high-critical.mjs, and www/package.json.
  • The CI audit job now runs pnpm run audit:high-critical, and the parser keeps low/moderate advisories visible while failing only when metadata.vulnerabilities.high or metadata.vulnerabilities.critical is non-zero.
  • The parser fails closed when pnpm audit cannot run, emits no JSON, emits malformed JSON, or omits metadata.vulnerabilities.
  • Dependency changes are scoped to the audit baseline: Vitest/coverage/Vite, Next/next-intl, @vllnt/eslint-config, and narrow pnpm overrides for the remaining vulnerable transitive ranges. Frozen install, lint, typecheck, unit/e2e tests, build, and audit all pass locally at this head.
  • Residual advisories are still explicit in audit output: current local audit reports low=1, moderate=4, high=0, critical=0; this is not a broad ignore pattern for high/critical issues.

VALIDATION

  • GitHub checks inspected live: Audit, Lint (www), Typecheck (cli), Unit Tests, E2E Tests, and Build + Test (www) are all successful.
  • Ran locally: pnpm install --frozen-lockfile — pass.
  • Ran locally: pnpm run audit:high-critical — pass, reports low=1, moderate=4, high=0, critical=0.
  • Ran local parser branch checks with mocked pnpm audit --json: high exits 1, low/moderate-only exits 0, malformed JSON exits 1, missing metadata exits 1.
  • Ran locally: pnpm run lint — pass.
  • Ran locally: pnpm run typecheck — pass.
  • Ran locally: pnpm run test — pass, 148 tests passed.
  • Ran locally: pnpm run build — pass.

Manual approval recommended; final approval is reserved for bntvllnt.

@bntvllnt

Copy link
Copy Markdown
Contributor Author

Jarvis review fallback: GitHub would not accept a formal REQUEST_CHANGES review from this account on this PR, so this top-level comment is the authoritative review handoff for head e9d3b55e75643d0b918ffc6d277ccc5809b7c7f7.

Review — 1 finding (1 blocking, 0 warn)

BLOCKING

  • C1 — PR body audit counts are stale
    • Evidence: the PR body currently says the post-remediation audit and validation output is low=1, moderate=4, high=0, critical=0, but I reran the current head's gate and pnpm run audit:high-critical reports low=1, moderate=6, high=0, critical=0.
    • Why it matters: this PR is specifically the audit-gate remediation, so the residual advisory count and validation proof are part of the merge contract. The code gate is doing the right high/critical check, but the PR metadata currently understates the remaining moderate advisories.
    • Fix: update the PR body's audit policy and validation sections to match the current head output (low=1, moderate=6, high=0, critical=0) and, if useful, list/acknowledge the remaining moderate advisory classes from pnpm audit --json.

WARN

  • None.

VERIFIED CLEAN

  • Reviewed all 5 changed files: .github/workflows/ci.yml, package.json, pnpm-lock.yaml, scripts/audit-high-critical.mjs, www/package.json.
  • The CI audit job now calls the repository script instead of weakening the rest of the CI graph.
  • scripts/audit-high-critical.mjs keeps low/moderate advisories visible while failing only when metadata.vulnerabilities.high or critical is nonzero.
  • Dependency/lockfile changes are consistent with a frozen install, and Vite 8's Node engine requirement is reflected by the root >=22.12 engine.

VALIDATION

  • Head reviewed: e9d3b55e75643d0b918ffc6d277ccc5809b7c7f7.
  • Live PR preflight: OPEN, non-draft, mergeable MERGEABLE, mergeStateStatus CLEAN before review.
  • GitHub checks on this head: Audit, Lint (www), Typecheck (cli), Unit Tests, E2E Tests, and Build + Test (www) all pass.
  • Ran locally in the pinned review worktree:
    • pnpm install --frozen-lockfile -> exit 0
    • pnpm run audit:high-critical -> exit 0; output low=1, moderate=6, high=0, critical=0
    • pnpm audit --json -> metadata confirms low=1, moderate=6, high=0, critical=0
    • git diff --check origin/main...HEAD -> exit 0

Requesting changes for metadata/validation accuracy only; no code-level blocker found in the audit gate implementation.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant