ci: audit dependencies on every PR + bump happy-dom past RCE CVE#28
Merged
Conversation
Adds an `npm audit --audit-level=high` step after the test run. It fails the build if any package in our graph has a known high or critical vulnerability (GitHub Advisory). Cheap, generic supply-chain guardrail — no list to maintain on our side. Running the audit immediately exposed a critical CVE in our existing happy-dom range (^15.11.7 — VM Context Escape leading to RCE, GHSA-37j7-fg3j-429f). Bumped to ^20.9.0 which carries the fix. Local `npm run ci` is green on 96/96 tests with the new happy-dom; the API surface we use (createElement, KeyboardEvent, document.title, document.head.innerHTML) is unchanged across the major. Six moderate vulnerabilities remain in the vite/vitest chain — those sit below the high threshold and don't fail the audit. We can revisit if they get re-classified. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
BartM82
approved these changes
May 15, 2026
3 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Ajoute un step
npm audit --audit-level=highà la CI et bumphappy-domqui portait une CVE critique.Ce qui change
1. Step audit dans
.github/workflows/ci.ymlFail la CI si une vulnérabilité high ou critical est connue dans l'arbre de dépendances (base GitHub Advisory consultée à chaque run). Filet large, auto-maintenu, rien à entretenir côté repo.
2. Bump
happy-dom^15.11.7 → ^20.9.0L'audit a immédiatement levé une CVE critical sur
happy-dom <= 20.8.8(GHSA-37j7-fg3j-429f — VM Context Escape → RCE) ainsi que deux autres GHSA moderate sur la même range. Bump vers^20.9.0qui les corrige.happy-domn'est utilisé que par les tests Vitest. La surface qu'on consomme (createElement,KeyboardEvent,document.title,document.head.innerHTML,getComputedStyle,URL) n'a pas bougé sur le major.Tests
npm install→ OKnpm audit --audit-level=high→ exit 0 (les vulnérabilités résiduelles sontmoderate, sous le seuil)npm run ci→ lint propre + 96/96 tests passent avec happy-dom 20Vulnérabilités restantes
6 moderate dans la chain
vite-node→vite(côté outil de test uniquement, pas dans le code livré). Sous le seuilhigh, l'audit les laisse passer. À revisiter si elles montent en gravité.🤖 Generated with Claude Code