Skip to content

feat: add npm audit checks to CI workflow #33

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Oct 10, 2025
Merged

feat: add npm audit checks to CI workflow #33

merged 2 commits into from
Oct 10, 2025

Conversation

@jamesbhobbs
Copy link
Contributor

@jamesbhobbs jamesbhobbs commented Oct 9, 2025
edited by coderabbitai bot
Loading

Summary

Adds two new GitHub Actions jobs to the CI workflow for npm security auditing:

  • Audit - Production: Runs npm audit --production to check production dependencies only
  • Audit - All: Runs npm audit to check all dependencies

This follows the pattern established in deepnote/deepnote#36. The "Audit - Production" job will become a required status check via a separate terraform update.

Changes

  • Added audit-prod job using npm audit --production
  • Added audit-all job using npm audit
  • Both jobs follow existing CI patterns (15min timeout, same Node.js setup)
  • Dependencies installed with npm ci --prefer-offline --no-audit

Review Checklist

Critical items to verify:

  • npm audit --production correctly filters to production dependencies only
  • npm ci --prefer-offline --no-audit doesn't interfere with audit commands
  • Job names match exactly what will be required in terraform config
  • Timeout of 15 minutes is appropriate for audit operations

Context:

  • Part of security audit rollout across multiple Deepnote repositories
  • Production audit will become required status check after terraform update
  • Pattern matches deepnote/deepnote implementation

Link to Devin run: https://app.devin.ai/sessions/1494020fb75d493c8b35d32b2f17aea9
Requested by: @jamesbhobbs

Summary by CodeRabbit

  • Chores
    • Added automated dependency security audits to CI with separate jobs for production-only and full dependency sets.
    • Improves early detection of vulnerabilities and strengthens release reliability by running targeted and comprehensive audits during CI.
    • No changes to user-facing features or runtime behavior.

@devin-ai-integration
feat: add npm audit checks to CI workflow
b9efe4d 
- Add 'Audit - Production' job for production dependencies
- Add 'Audit - All' job for all dependencies
- Follow existing CI job pattern with 15-minute timeout
@devin-ai-integration
Copy link

devin-ai-integration bot commented Oct 9, 2025

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

  • Address comments on this PR that start with 'DevinAI' or '@devin'.
  • Look at CI failures and help fix them

⚙️ Control Options:

  • Disable automatic comment and CI monitoring

@coderabbitai
Copy link
Contributor

coderabbitai bot commented Oct 9, 2025
edited
Loading

📝 Walkthrough

Walkthrough

Adds two GitHub Actions CI jobs to .github/workflows/ci.yml: audit-prod and audit-all. Both checkout the repo, configure Node with a shared NODE_VERSION and npm cache, authenticate using the GitHub token and registry/scope settings, install dependencies via npm ci --prefer-offline --no-audit, then run npm audit --production (audit-prod) or npm audit (audit-all). No exported or public code entities were changed.

Sequence Diagram(s)

sequenceDiagram
  autonumber
  actor Dev as Developer
  participant GH as GitHub
  participant Runner as Actions Runner
  participant Registry as npm Registry

  Dev->>GH: Push / Open PR
  GH->>Runner: Trigger CI workflow
  par audit-prod
    Runner->>Runner: actions/checkout
    Runner->>Runner: setup-node (NODE_VERSION, npm cache)
    Runner->>Registry: npm ci --prefer-offline --no-audit
    Runner->>Runner: npm audit --production
    alt vulnerabilities
      Runner-->>GH: Fail/report vulnerabilities
    else no vulnerabilities
      Runner-->>GH: Success
    end
  and audit-all
    Runner->>Runner: actions/checkout
    Runner->>Runner: setup-node (NODE_VERSION, npm cache)
    Runner->>Registry: npm ci --prefer-offline --no-audit
    Runner->>Runner: npm audit
    alt vulnerabilities
      Runner-->>GH: Fail/report vulnerabilities
    else no vulnerabilities
      Runner-->>GH: Success
    end
  end
Loading

Possibly related PRs

Suggested reviewers

  • Artmann
  • andyjakubowski
  • saltenasl

Pre-merge checks

✅ Passed checks (3 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title Check ✅ Passed The title uses a conventional commit prefix and clearly states the addition of npm audit checks to the CI workflow, which is the primary change in this pull request. It is concise and omits unnecessary details while accurately reflecting the feature being introduced.
Docstring Coverage ✅ Passed No functions found in the changes. Docstring coverage check skipped.
📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: ASSERTIVE

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between b9efe4d and b8a2af8.

📒 Files selected for processing (1)
  • .github/workflows/ci.yml (1 hunks)

Comment @coderabbitai help to get the list of available commands and usage tips.

@jamesbhobbs jamesbhobbs marked this pull request as ready for review October 9, 2025 17:15
coderabbitai[bot]
coderabbitai bot requested changes Oct 9, 2025
View reviewed changes
Copy link
Contributor

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI

Review profile: ASSERTIVE

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 8f22894 and b9efe4d.

📒 Files selected for processing (1)
  • .github/workflows/ci.yml (1 hunks)
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)
  • GitHub Check: Build & Test

coderabbitai[bot]
coderabbitai bot requested changes Oct 9, 2025
View reviewed changes
Copy link
Contributor

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI

Review profile: ASSERTIVE

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 8f22894 and b9efe4d.

📒 Files selected for processing (1)
  • .github/workflows/ci.yml (1 hunks)

@jamesbhobbs jamesbhobbs enabled auto-merge (squash) October 10, 2025 10:08
@jamesbhobbs jamesbhobbs disabled auto-merge October 10, 2025 11:51
@jamesbhobbs jamesbhobbs merged commit 3a973eb into main Oct 10, 2025
7 checks passed
@jamesbhobbs jamesbhobbs deleted the devin/1760029877-add-audit-checks branch October 10, 2025 11:52
@coderabbitai coderabbitai bot mentioned this pull request Oct 20, 2025
Merged
5 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Artmann Artmann Artmann approved these changes

@coderabbitai coderabbitai[bot] coderabbitai[bot] approved these changes

@saltenasl saltenasl Awaiting requested review from saltenasl

+1 more reviewer

@andyjakubowski andyjakubowski andyjakubowski approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@jamesbhobbs jamesbhobbs

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@jamesbhobbs @Artmann @andyjakubowski