🐛 Fixed dependency-inspector to use pnpm instead of yarn

[9larsons]

Summary

• Switched displayAuditSummary() from yarn audit to pnpm audit and updated the JSON parsing — pnpm returns a single object with metadata.vulnerabilities instead of yarn's newline-delimited JSON
• Fixed parsePnpmOutdatedOutput() to use info.wanted instead of info.current, which pnpm's outdated --json does not include

These were missed during the pnpm migration in #27017.

[coderabbitai]

Walkthrough

The .github/scripts/dependency-inspector.js file was updated to support pnpm package manager operations. The parsePnpmOutdatedOutput function was modified to handle pnpm's outdated --json output format, which lacks a current field and instead returns tuple entries containing name, wanted, and latest version information. The displayAuditSummary function was changed to invoke pnpm audit --json instead of yarn audit --json, parsing the entire output as a single JSON document rather than processing line-by-line results. Vulnerability count extraction now reads from data.metadata.vulnerabilities and total dependencies from data.metadata.totalDependencies. Error handling was added for empty or unparseable output.

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly identifies the main change: fixing dependency-inspector to use pnpm instead of yarn, which aligns with the core changes in the changeset.
Description check	✅ Passed	The description is directly related to the changeset, explaining the two key fixes: switching to pnpm audit and correcting the field mapping in parsePnpmOutdatedOutput.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix-dependency-inspector-pnpm

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[coderabbitai]

🧹 Nitpick comments (1)

.github/scripts/dependency-inspector.js (1)

661-673: Harden vulnerability math against partial metadata.

On Line 663, missing keys can produce NaN totals. Default each bucket to 0 before summing.

Proposed hardening diff

       if (data.metadata && data.metadata.vulnerabilities) {
         const v = data.metadata.vulnerabilities;
-        const total = v.info + v.low + v.moderate + v.high + v.critical;
+        const info = Number(v.info ?? 0);
+        const low = Number(v.low ?? 0);
+        const moderate = Number(v.moderate ?? 0);
+        const high = Number(v.high ?? 0);
+        const critical = Number(v.critical ?? 0);
+        const total = info + low + moderate + high + critical;
         console.log(`   Total vulnerabilities: ${total}`);
-        console.log(`   🔴 Critical: ${v.critical}`);
-        console.log(`   🟠 High:     ${v.high}`);
-        console.log(`   🟡 Moderate: ${v.moderate}`);
-        console.log(`   🟢 Low:      ${v.low}`);
-        if (v.info > 0) {
-          console.log(`   ℹ️  Info:     ${v.info}`);
+        console.log(`   🔴 Critical: ${critical}`);
+        console.log(`   🟠 High:     ${high}`);
+        console.log(`   🟡 Moderate: ${moderate}`);
+        console.log(`   🟢 Low:      ${low}`);
+        if (info > 0) {
+          console.log(`   ℹ️  Info:     ${info}`);
         }

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/scripts/dependency-inspector.js around lines 661 - 673, The
vulnerability math can produce NaN when some buckets are missing; in the block
using data.metadata.vulnerabilities (variable v and total), default each
vulnerability bucket to 0 before summing and before printing. Locate the
declaration "const v = data.metadata.vulnerabilities" and replace usage with a
version that extracts or normalizes each bucket (critical, high, moderate, low,
info) to a numeric default (e.g., via destructuring with =0 or Number(...)||0),
compute total from those normalized values, and use those normalized variables
in the console.log lines so missing keys do not produce NaN.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In @.github/scripts/dependency-inspector.js:
- Around line 661-673: The vulnerability math can produce NaN when some buckets
are missing; in the block using data.metadata.vulnerabilities (variable v and
total), default each vulnerability bucket to 0 before summing and before
printing. Locate the declaration "const v = data.metadata.vulnerabilities" and
replace usage with a version that extracts or normalizes each bucket (critical,
high, moderate, low, info) to a numeric default (e.g., via destructuring with =0
or Number(...)||0), compute total from those normalized values, and use those
normalized variables in the console.log lines so missing keys do not produce
NaN.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 9741d4c0-3a16-47c2-bd7c-8532099dad91

📥 Commits

Reviewing files that changed from the base of the PR and between 17b5b5a and 0e7861b.

📒 Files selected for processing (1)

• .github/scripts/dependency-inspector.js

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 73.46%. Comparing base (17b5b5a) to head (0e7861b).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff           @@
##             main   #27342   +/-   ##
=======================================
  Coverage   73.46%   73.46%           
=======================================
  Files        1545     1545           
  Lines      123724   123724           
  Branches    14970    14971    +1     
=======================================
  Hits        90893    90893           
- Misses      31808    31829   +21     
+ Partials     1023     1002   -21     

Flag	Coverage Δ
admin-tests	54.36% <ø> (ø)
e2e-tests	73.46% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.