From a82754d8b02cd92cb8c65d4f2fca6125d411e4d4 Mon Sep 17 00:00:00 2001
From: "Aaron K. Clark" <akclark@thenetwerk.net>
Date: Mon, 18 May 2026 00:58:00 -0500
Subject: [PATCH] chore(ci): npm audit gate on production deps + engines.node
 pin
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Two small package-quality improvements:

1. **`npm run audit`** runs `npm audit --audit-level=high --omit=dev`,
   gating the build on any high-or-critical advisory affecting
   production dependencies. Dev tools (eslint, vitest, supertest) are
   excluded so a fast-moving advisory there doesn't block shipping;
   the production path is what we care about for deployment risk.
   GH Actions + Woodpecker both run the new step between lint and
   the test matrix.

2. **`engines.node`** in package.json pins the minimum supported
   Node version (>=20.0.0). Matches the CI matrix and the Docker
   base image. Older Node will see an npm WARN at install time
   rather than mysterious runtime failures.

Current state: 0 vulnerabilities. The new step locks in that
baseline; any future dependency drift triggers a CI failure
operators can investigate before the bad version reaches prod.

Tests: full suite 479 pass / 4 skip — unchanged.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .github/workflows/test.yml | 2 ++
 .woodpecker.yml            | 2 ++
 package.json               | 4 ++++
 3 files changed, 8 insertions(+)

diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 0bb0dbf..4ca78d5 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -72,5 +72,7 @@ jobs:
         run: npm run migrate
       - name: Lint
         run: npm run lint
+      - name: npm audit (production deps, high+)
+        run: npm run audit
       - name: Run vitest (unit + api + integration)
         run: npm test
diff --git a/.woodpecker.yml b/.woodpecker.yml
index 4c7df60..ee83b4f 100644
--- a/.woodpecker.yml
+++ b/.woodpecker.yml
@@ -36,6 +36,7 @@ steps:
       - npm ci
       - npm run migrate
       - npm run lint
+      - npm run audit
       - npm test
 
   test-node-22:
@@ -61,4 +62,5 @@ steps:
       - npm ci
       - npm run migrate
       - npm run lint
+      - npm run audit
       - npm test
diff --git a/package.json b/package.json
index 326552d..d162b7f 100644
--- a/package.json
+++ b/package.json
@@ -15,11 +15,15 @@
     "test:watch": "vitest",
     "lint": "eslint app/ server.js tests/",
     "lint:fix": "eslint --fix app/ server.js tests/",
+    "audit": "npm audit --audit-level=high --omit=dev",
     "migrate": "sequelize-cli db:migrate",
     "migrate:undo": "sequelize-cli db:migrate:undo",
     "migrate:status": "sequelize-cli db:migrate:status",
     "migrate:generate": "sequelize-cli migration:generate --name"
   },
+  "engines": {
+    "node": ">=20.0.0"
+  },
   "author": "https://github.com/CryptoJones",
   "license": "Apache-2.0",
   "dependencies": {