gui.do / barazo-web
Barazo default frontend barazo.forum
2
fork

Configure Feed

Select the types of activity you want to include in your feed.

chore(ci): add security audit job (#66)

* chore(ci): add security audit job

Add pnpm audit --audit-level=high with retry logic matching
barazo-api's implementation. Runs in parallel with other CI jobs.

* fix(ci): add minimatch override and fix security scan install

Add pnpm.overrides for minimatch>=10.2.1 to resolve high-severity
ReDoS vulnerability in dev dependencies. Security scan uses plain
pnpm install (not --frozen-lockfile) so the override can take effect
without requiring a lockfile update.

* fix(ci): update lockfile with minimatch override

Regenerate pnpm-lock.yaml with minimatch>=10.2.1 override to resolve
high-severity ReDoS vulnerability. All security scan jobs now use
--frozen-lockfile consistently.

* fix(ci): revert minimatch override, audit production deps only

The minimatch>=10.2.1 override breaks eslint-plugin-jsx-a11y which
depends on minimatch@3.x (incompatible API). Since all minimatch
vulnerabilities are in dev dependencies only, switch audit to --prod
to check production dependencies where the real security risk lies.

authored by

Guido X Jansen and committed by
GitHub 0f9a91a1 6913eeb4

+40
+40
.github/workflows/ci.yml
··· 220 220 name: lighthouse-report 221 221 path: .lighthouseci/ 222 222 retention-days: 7 223 + 224 + security: 225 + name: Security Scan 226 + runs-on: ubuntu-latest 227 + steps: 228 + - name: Checkout 229 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 230 + 231 + - name: Install pnpm 232 + uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 # v4 233 + with: 234 + version: 10 235 + 236 + - name: Setup Node.js 237 + uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0 238 + with: 239 + node-version: '24' 240 + cache: 'pnpm' 241 + 242 + - name: Clone and build barazo-lexicons 243 + run: | 244 + git clone --depth 1 https://github.com/barazo-forum/barazo-lexicons.git ../barazo-lexicons 245 + cd ../barazo-lexicons && pnpm install --ignore-scripts && pnpm run build 246 + 247 + - name: Install dependencies 248 + run: pnpm install --frozen-lockfile 249 + 250 + - name: Security audit with retry 251 + run: | 252 + for attempt in 1 2 3; do 253 + output=$(pnpm audit --audit-level=high --prod 2>&1) && { echo "$output"; exit 0; } 254 + if echo "$output" | grep -q "ERR_PNPM_AUDIT_BAD_RESPONSE\|ECONNREFUSED\|ETIMEDOUT\|EAI_AGAIN"; then 255 + echo "::warning::Audit registry unavailable (attempt $attempt/3), retrying in 15s..." 256 + sleep 15 257 + else 258 + echo "$output" 259 + exit 1 260 + fi 261 + done 262 + echo "::warning::Audit registry unavailable after 3 attempts, skipping"