fix(security #17): add npm audit to CI pipeline and package scripts
Added .gitea/workflows/ci.yml which runs 'npm audit --audit-level=moderate' on every push and PR. Fails the build on any moderate or higher severity finding. Also added 'npm run audit' and 'npm run audit:fix' convenience scripts to package.json for local use.
This commit is contained in:
@@ -0,0 +1,26 @@
|
|||||||
|
name: CI
|
||||||
|
|
||||||
|
on:
|
||||||
|
push:
|
||||||
|
branches: ["**"]
|
||||||
|
pull_request:
|
||||||
|
branches: ["**"]
|
||||||
|
|
||||||
|
jobs:
|
||||||
|
audit:
|
||||||
|
name: npm audit
|
||||||
|
runs-on: ubuntu-latest
|
||||||
|
steps:
|
||||||
|
- uses: actions/checkout@v4
|
||||||
|
|
||||||
|
- name: Set up Node.js
|
||||||
|
uses: actions/setup-node@v4
|
||||||
|
with:
|
||||||
|
node-version: "18"
|
||||||
|
cache: "npm"
|
||||||
|
|
||||||
|
- name: Install dependencies
|
||||||
|
run: npm ci
|
||||||
|
|
||||||
|
- name: Run security audit
|
||||||
|
run: npm audit --audit-level=moderate
|
||||||
+3
-1
@@ -6,7 +6,9 @@
|
|||||||
"scripts": {
|
"scripts": {
|
||||||
"dev": "nodemon server/index.js",
|
"dev": "nodemon server/index.js",
|
||||||
"start": "node server/index.js",
|
"start": "node server/index.js",
|
||||||
"install:all": "npm install"
|
"install:all": "npm install",
|
||||||
|
"audit": "npm audit --audit-level=moderate",
|
||||||
|
"audit:fix": "npm audit fix"
|
||||||
},
|
},
|
||||||
"dependencies": {
|
"dependencies": {
|
||||||
"axios": "^1.6.0",
|
"axios": "^1.6.0",
|
||||||
|
|||||||
Reference in New Issue
Block a user