Skip to content

ci: allowlist triaged no-fix npm audit advisories#72

Merged
goetchstone merged 1 commit into
mainfrom
chore/npm-audit-gate
Jun 19, 2026
Merged

ci: allowlist triaged no-fix npm audit advisories#72
goetchstone merged 1 commit into
mainfrom
chore/npm-audit-gate

Conversation

@goetchstone

Copy link
Copy Markdown
Owner

What

The Dependency audit (npm) check was failing on every PR: a cluster of nodemailer advisories (one high) has no fix availablenext-auth's @auth/core peer-dep pins nodemailer to 7 — so npm audit --audit-level=high left the gate permanently red.

This routes npm audit --json --omit=dev through scripts/audit-check.mjs, which fails on any high/critical advisory except a small, documented allowlist of triaged GHSAs. A genuinely new high/critical still breaks the build.

Triage — why these are accepted

All 6 nodemailer advisories are unreachable given server/email/index.ts: sendEmail() accepts only the EmailPayload allowlist (from/to/subject/html/text/replyTo) and the transport sets only host/port/secure/auth{user,pass}. So the code never sets envelope, transport name, List-* headers, raw, jsonTransport, or OAuth2 auth — the vulnerable paths.

  • nodemailer: GHSA-c7w3-x93f-qmm8, GHSA-vvjj-xcjg-gr5g, GHSA-268h-hp4c-crq3, GHSA-wqvq-jvpq-h66f, GHSA-r7g4-qg5f-qqm2, GHSA-p6gq-j5cr-w38f
  • postcss (moderate, transitive via Next): GHSA-qx2v-qp2m-jg93

Documented in CLAUDE.md (Known Issues) and docs/DECISIONS.md. The allowlist must shrink as fixes land — revisit when next-auth 5 supports nodemailer 8+.

Verified

node scripts/audit-check.mjs exits 0 on the current audit (all blocking advisories allowlisted) and exits 1 on a crafted new high — so the gate still catches real regressions.

🤖 Generated with Claude Code

next-auth pins nodemailer 7 (no fix), so --audit-level=high left the
gate permanently red. Run npm audit through scripts/audit-check.mjs,
which allowlists the triaged-unreachable GHSAs but still fails on any
new high/critical.
@goetchstone goetchstone merged commit 6e5f764 into main Jun 19, 2026
8 checks passed
@goetchstone goetchstone deleted the chore/npm-audit-gate branch June 19, 2026 20:20
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant