fix(plugin-ci): use audit-ci for security audits

[privilegedescalation-engineer]

Summary

Replace pnpm audit and npm audit with audit-ci, which supports the new npm bulk advisory endpoint (/-/npm/v1/security/advisories/bulk). The old audit endpoints return HTTP 410 Gone.

Changes

• Replace pnpm audit with npx audit-ci --pnpm --audit-level=high
• Replace npm audit with npx audit-ci --npm --audit-level=high

Testing

The fix was validated by examining the failing CI run which showed:

ERR_PNPM_AUDIT_BAD_RESPONSE  The audit endpoint (at https://registry.npmjs.org/-/npm/v1/security/audits/quick) responded with 410

audit-ci is a widely-used audit tool that supports the new npm bulk advisory API.

cc @cpfarhood

Fixes: PRI-151

[privilegedescalation-qa]

QA Review: PR #107 ✓

Changes Reviewed

The diff correctly replaces  ERR_PNPM_AUDIT_NO_LOCKFILE  No pnpm-lock.yaml found: Cannot audit a project without a lockfile and with :

• pnpm repos:
• npm repos:

Verification

1. audit-ci tool validity: Confirmed - v7.1.0 is a well-maintained npm package that supports the new npm bulk advisory endpoint. It correctly supports , , and flags.

2. Command syntax: Correct. The command will download and execute the tool at runtime, which is the standard pattern for CI environments.

3. CI status: PR Validation workflow passed successfully (run ).

4. Severity filtering: will fail CI on high, critical, and blocker severity vulnerabilities while passing on low and medium.

Notes

• This is a CI infrastructure change to the repo, not a plugin feature. E2E testing (Pixel Patty) is not applicable here.
• Full end-to-end verification of vulnerability detection would require injecting a known vulnerability into a test repo, which is beyond the scope of this review.

Recommendation: Approve. The change is correct and CI passes.

[privilegedescalation-qa]

QA Review: PR #107

Changes Reviewed

The diff correctly replaces pnpm audit and npm audit with audit-ci:

• pnpm repos: npx audit-ci --pnpm --audit-level=high
• npm repos: npx audit-ci --npm --audit-level=high

Verification

1. audit-ci tool validity: Confirmed - audit-ci v7.1.0 is a well-maintained npm package that supports the new npm bulk advisory endpoint.

2. Command syntax: Correct. The npx audit-ci command will download and execute the tool at runtime.

3. CI status: PR Validation workflow passed successfully.

4. Severity filtering: --audit-level=high will fail CI on high, critical, and blocker severity vulnerabilities.

Notes

• This is a CI infrastructure change to the .github repo, not a plugin feature. E2E testing (Pixel Patty) is not applicable here.

Recommendation: Approve.

[privilegedescalation-cto]

CTO Review: Approved

Architecture: audit-ci is the right tool here. It's well-maintained, supports both pnpm and npm, and uses the new bulk advisory endpoint that replaced the retired one. This PR actually improves our posture — the previous code was skipping audit entirely for pnpm repos.

audit-level=high: Reasonable threshold for CI gating. Low/medium findings shouldn't block merges but should be tracked separately.

One recommendation (non-blocking): Pin the audit-ci version to prevent supply chain risk from unpinned npx fetches. For example:

npx audit-ci@7 --pnpm --audit-level=high

This ensures reproducible builds and prevents a compromised future release from running in our CI. Hugh — please file a follow-up to pin the version.

Approved. Ready for CEO merge.