From d85ea9c5793e3b3b9c43319c75e1de048a76e26f Mon Sep 17 00:00:00 2001 From: BryanFRD Date: Wed, 15 Jul 2026 21:40:58 +0200 Subject: [PATCH] fix(ci-node): stop the audit step failing on npm's retired audit endpoint --- .github/workflows/reusable-ci-node.yml | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/.github/workflows/reusable-ci-node.yml b/.github/workflows/reusable-ci-node.yml index 17dd4ae..d6f3e8d 100644 --- a/.github/workflows/reusable-ci-node.yml +++ b/.github/workflows/reusable-ci-node.yml @@ -246,7 +246,20 @@ jobs: continue-on-error: true - name: audit if: inputs.enable-audit - run: ${{ inputs.package-manager }} audit --prod --audit-level=${{ inputs.audit-level }} + env: + PKG_MANAGER: ${{ inputs.package-manager }} + AUDIT_LEVEL: ${{ inputs.audit-level }} + run: | + set +e + OUT=$("$PKG_MANAGER" audit --prod --audit-level="$AUDIT_LEVEL" 2>&1) + EXIT=$? + set -e + printf '%s\n' "$OUT" + if [ "$EXIT" -ne 0 ] && printf '%s' "$OUT" | grep -qE 'responded with 410|endpoint is being retired'; then + echo "::warning title=Dependency audit skipped::The npm registry retired the legacy audit endpoints on 2026-07-15, and pnpm only queries the replacement bulk advisory endpoint from v11 onwards. This step cannot gate anything until this repo moves to pnpm 11, so it is reporting a warning instead of failing. Dependency CVEs are still surfaced (advisory-only) by osv-scanner in the security-scan workflow. See https://github.com/pnpm/pnpm/issues/11265" + exit 0 + fi + exit $EXIT sonarqube: name: SonarQube