From 0297576b0e214b464a1dc2111ac8e58e13d0b5dc Mon Sep 17 00:00:00 2001
From: Test User <test@example.com>
Date: Wed, 15 Apr 2026 21:16:26 +0000
Subject: [PATCH] fix(plugin-ci): use audit-ci for security audits

Replace pnpm audit and npm audit with audit-ci, which supports
the new npm bulk advisory endpoint (/-/npm/v1/security/advisories/bulk).
The old audit endpoints return HTTP 410 Gone.

Fixes: PRI-151

Co-authored-by: Hugh Hackman <hugh@privilegedescalation.ai>
---
 .github/workflows/plugin-ci.yaml | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/plugin-ci.yaml b/.github/workflows/plugin-ci.yaml
index 495321e..6f2a151 100644
--- a/.github/workflows/plugin-ci.yaml
+++ b/.github/workflows/plugin-ci.yaml
@@ -158,9 +158,8 @@ jobs:
 
       - name: Security audit
         run: |
-          # pnpm audit endpoint retired (HTTP 410) - skip for pnpm repos
           if [ "${{ steps.pkg-manager.outputs.manager }}" = "pnpm" ]; then
-            echo "Skipping security audit for pnpm repo (pnpm audit endpoint retired)"
+            npx audit-ci --pnpm --audit-level=high
           else
-            npm audit --omit=dev
+            npx audit-ci --npm --audit-level=high
           fi