fix(ci-node): stop the audit step failing on npm's retired audit endpoint#162
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
@
The
Quality (knip, madge, audit)job fails on every open PR across the product repos, and it is a required status check, so nothing can merge.Closes #161.
Cause
npm retired the legacy audit endpoints on 2026-07-15 — primary and fallback both return HTTP 410. pnpm only queries the replacement bulk advisory endpoint from v11 onwards (pnpm/pnpm#11265), and every repo here is on pnpm 10, so
pnpm auditcannot succeed on any commit regardless of content. Reproduced locally on pnpm 10.34.3.Only the
auditstep is fatal —knipandmadgealready havecontinue-on-error: true, so the "Unused files" noise in those logs is a red herring.Change
The
auditstep reports a warning and passes only when the output carries the retired-endpoint signature (responded with 410/endpoint is being retired). Everything else still fails the job, and the step is deliberately left withoutcontinue-on-errorso it keeps gating. Once a repo moves to pnpm 11 the bulk endpoint answers and the step becomes a real gate again with no further change.Inputs are passed via
env:rather than interpolated into the shell.Verification
Behaviour pinned against a stubbed package manager for each case, plus the real pnpm:
The 500 case matters: the match is deliberately narrow, so a genuine registry outage is not silently swallowed.
Caveat
pnpm auditwas the only blocking dependency-CVE check.osv-scannerscans the samepnpm-lock.yamlandCargo.lockbutfail-on-cvedefaults tofalse, so it is advisory-only — dependency CVEs are surfaced but not enforced until pnpm 11 lands. Noted in #161; flippingfail-on-cve: trueneeds a per-repo review of current findings first.@