Fix npm audit vulnerabilities in production dependencies

[stbenjam]

Summary

• Update picomatch and yaml to patched versions to resolve production dependency vulnerabilities (high severity ReDoS, moderate severity stack overflow)
• Update Makefile to use --omit=dev instead of deprecated --production flag for npm audit

Test plan

• cd sippy-ng && npm audit --omit=dev reports 0 vulnerabilities
• make lint passes

🤖 Generated with Claude Code

Summary by CodeRabbit

• Chores
  • Updated the dependency-audit behavior in build tooling to change which packages are included during audits.
  • Excluded the frontend dependency directory from lint runs to reduce unnecessary scanning and noise during linting.

[openshift-ci-robot]

Pipeline controller notification
This repo is configured to use the pipeline controller. Second-stage tests will be triggered either automatically or after lgtm label is added, depending on the repository configuration. The pipeline controller will automatically detect which contexts are required and will utilize /test Prow commands to trigger the second stage.

For optional jobs, comment /test ? to see a list of all defined jobs. To trigger manually all jobs from second stage use /pipeline required command.

This repository is configured in: automatic mode

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Pro

Run ID: 1f59d516-8fdd-4f85-a670-1ca1136ead7b

📥 Commits

Reviewing files that changed from the base of the PR and between af43d34 and 0c131f5.

📒 Files selected for processing (1)

• .golangci.yml

✅ Files skipped from review due to trivial changes (1)

• .golangci.yml

---

Walkthrough

Makefile: updated the lint target's npm audit command to npm audit --omit=dev (replacing --production). .golangci.yml: added run.skip-dirs to exclude sippy-ng/node_modules from golangci-lint runs. No other behavior or exports changed.

Changes

Cohort / File(s)	Summary
Build / Makefile Makefile	Replaced npm audit --production with npm audit --omit=dev in the lint target to change which dependencies are audited.
Linter config .golangci.yml	Added run.skip-dirs entry to exclude sippy-ng/node_modules from golangci-lint execution.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

🚥 Pre-merge checks | ✅ 4

✅ Passed checks (4 passed)

Check name	Status	Explanation
Go Error Handling	✅ Passed	The custom check for Go error handling patterns is not applicable to this PR, which only modifies configuration files (Makefile and .golangci.yml) without any changes to Go source code.
Sql Injection Prevention	✅ Passed	The pull request contains only configuration file updates to Makefile and .golangci.yml with no SQL query or database operation changes.
Excessive Css In React Should Use Styles	✅ Passed	This custom check for excessive CSS in React components is not applicable as the PR only modifies build and linting configuration files without touching any React component files.
Single Responsibility And Clear Naming	✅ Passed	This PR contains only configuration file changes (Makefile and .golangci.yml) with no modifications to Go code, packages, structs, or method definitions.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[dgoodwin]

/lgtm

[openshift-ci-robot]

Scheduling required tests:
/test e2e

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: dgoodwin, stbenjam

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [dgoodwin,stbenjam]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci]

@stbenjam: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.