Skip to content

fix(ci-node): stop the audit step failing on npm's retired audit endpoint#162

Merged
BryanFRD merged 1 commit into
mainfrom
fix/ci-node-audit-retired-endpoint
Jul 15, 2026
Merged

fix(ci-node): stop the audit step failing on npm's retired audit endpoint#162
BryanFRD merged 1 commit into
mainfrom
fix/ci-node-audit-retired-endpoint

Conversation

@BryanFRD

Copy link
Copy Markdown
Contributor

@
The Quality (knip, madge, audit) job fails on every open PR across the product repos, and it is a required status check, so nothing can merge.

Closes #161.

Cause

npm retired the legacy audit endpoints on 2026-07-15 — primary and fallback both return HTTP 410. pnpm only queries the replacement bulk advisory endpoint from v11 onwards (pnpm/pnpm#11265), and every repo here is on pnpm 10, so pnpm audit cannot succeed on any commit regardless of content. Reproduced locally on pnpm 10.34.3.

Only the audit step is fatal — knip and madge already have continue-on-error: true, so the "Unused files" noise in those logs is a red herring.

Change

The audit step reports a warning and passes only when the output carries the retired-endpoint signature (responded with 410 / endpoint is being retired). Everything else still fails the job, and the step is deliberately left without continue-on-error so it keeps gating. Once a repo moves to pnpm 11 the bulk endpoint answers and the step becomes a real gate again with no further change.

Inputs are passed via env: rather than interpolated into the shell.

Verification

Behaviour pinned against a stubbed package manager for each case, plus the real pnpm:

Case Step exit Result
Retired-endpoint 410 0 warning, job continues
Real high-severity vulnerability 1 still fails
Clean audit 0 passes
Registry 500 (other error) 1 still fails, not swallowed
Real pnpm 10.34.3 in FerrTrack-Cloud 0 warning path taken

The 500 case matters: the match is deliberately narrow, so a genuine registry outage is not silently swallowed.

Caveat

pnpm audit was the only blocking dependency-CVE check. osv-scanner scans the same pnpm-lock.yaml and Cargo.lock but fail-on-cve defaults to false, so it is advisory-only — dependency CVEs are surfaced but not enforced until pnpm 11 lands. Noted in #161; flipping fail-on-cve: true needs a per-repo review of current findings first.
@

@BryanFRD BryanFRD merged commit 9d30d15 into main Jul 15, 2026
8 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

ci(ci-node): Quality gate fails on every PR since npm retired the legacy audit endpoints

1 participant