Conversation
…dependency - add audit-level input to job-security.yml - integrate security audit in release and PR validation workflows - remove angular-oauth2-oidc dependency to pass strict security audit
There was a problem hiding this comment.
Pull request overview
This PR makes dependency vulnerability scanning a blocking gate in CI by introducing a reusable strict pnpm audit job and wiring it into both PR validation and release workflows. It also removes an unused dependency (angular-oauth2-oidc) and replaces its imported OAuth error type with a local structural type to avoid shipping a vulnerable dependency tree to consumers.
Changes:
- Add a reusable GitHub Actions security audit job and enforce
pnpm audit --audit-level lowas a required check. - Make the security audit job blocking in PR validation and release workflows, and surface its status in the PR report.
- Remove
angular-oauth2-oidcfrom dependencies/externals and replace the type import with a localOAuthErrorEventLikeinterface.
Reviewed changes
Copilot reviewed 6 out of 7 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
| scripts/build/helpers/compile-type-script.helper.ts | Removes angular-oauth2-oidc from declaration/build externals. |
| package.json | Drops angular-oauth2-oidc from runtime dependencies. |
| pnpm-lock.yaml | Updates the lockfile to remove angular-oauth2-oidc and its transitive tree. |
| helpers/string/errorToReadableMessage.ts | Replaces external OAuth error type import with a local structural type. |
| .github/workflows/job-security.yml | Converts security audit into a strict, failing CI step with configurable audit level. |
| .github/workflows/pr-validation.yml | Adds the security audit job and includes it in the PR status report. |
| .github/workflows/release.yml | Adds the security audit as a prerequisite for release build/verify. |
Files not reviewed (1)
- pnpm-lock.yaml: Language not supported
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| if ("reason" in errObj && "params" in errObj) { | ||
| const errOAuth = error as OAuthErrorEvent & { | ||
| const errOAuth = error as OAuthErrorEventLike & { | ||
| type: "code_error"; | ||
| params: { error: string; error_description: string }; | ||
| }; |
There was a problem hiding this comment.
The type assertion here hard-codes type: "code_error", but the switch below has a default branch and the test suite exercises non-code_error values. This makes the types misleading (the default branch becomes unreachable to TypeScript) and increases the chance of future refactors accidentally breaking the non-code_error path. Consider asserting type: string (or a union of known types) and using a runtime check (if (errOAuth.type === "code_error") to narrow before accessing params.error / params.error_description.
✅ PR Validation Passed
📋 Pipeline Status
📊 Code Coverage
🧬 Mutation Testing
ℹ️ About this report
🤖 Generated by @helpers4 CI • 2026-04-02 |
Summary
pnpm audit --audit-level lowangular-oauth2-oidc, which was only used for a type import but introduced vulnerable runtime dependencieserrorToReadableMessageWhy
The repository already had a security workflow, but it was non-blocking because it used
pnpm audit || true.This change turns security auditing into a real gate in CI and fixes the current vulnerability baseline so the strict audit can pass cleanly.
Validation
pnpm audit --audit-level lowpnpm typecheckpnpm testpnpm buildNotes
angular-oauth2-oidcdependency was not needed at runtime🔐 Security Auditstatus