ci(audit): scope blocking npm-audit gate to published packages#63
Open
ucekmez wants to merge 1 commit into
Open
ci(audit): scope blocking npm-audit gate to published packages#63ucekmez wants to merge 1 commit into
ucekmez wants to merge 1 commit into
Conversation
The dependency-policy gate audited examples and the test harness in the same blocking loop as the published packages, so a high-severity advisory in a demo's transitive dependency failed CI for every PR. A hono advisory in examples/node-gate-publisher recently blocked main and 8 open PRs this way, even though nothing consumers install was affected. Published @eep-dev/* packages still gate the build (a vulnerability there ships to consumers). Examples and the test harness move to a separate, non-blocking advisory step that surfaces high-severity advisories as CI warnings without failing the run. Signed-off-by: Ugur Cekmez <ucekmez@gmail.com> Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Audit finding (community/contributor + supply-chain verticals): the
dependency-policyCI gate audited examples and the test harness in thesame blocking loop as published packages with
--audit-level=high. Ahigh-severity advisory in a demo's transitive dependency therefore failed
CI for every PR.
This is not hypothetical: a
honoadvisory inexamples/node-gate-publisherrecently red-failed
mainand 8 open PRs at once, even though nothing aconsumer installs was affected.
Change
@eep-dev/*packages(gates, signer, validator, compliance-cli, setup-cli, middleware, discovery,
mcp-bridge) — a vulnerability in one of these ships to consumers, so it
should gate the build.
tests/andexamples/node-gate-publishermove to a separatecontinue-on-error: trueadvisory step that surfaces high-severityadvisories as CI warnings without failing the run.
No coverage is lost — examples/tests are still audited, just non-blocking.
Verification
python -c "yaml.safe_load(...)"parses; thedependency-policyjob on thisPR exercises the new split. Part of the EEP vertical-audit follow-up (Wave 1).
🤖 Generated with Claude Code