Skip to content

fix(ci): replace retired pnpm audit endpoint #103

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
PatrickSys merged 1 commit into from
Apr 15, 2026
Merged

fix(ci): replace retired pnpm audit endpoint #103

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions .github/workflows/test.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,8 +29,8 @@ jobs:
- name: Type Check
run: pnpm type-check

- name: Security Audit
run: pnpm audit --prod
- name: Registry Signatures Audit
run: npm audit signatures
Copy link
Copy Markdown
Contributor

@greptile-apps greptile-apps Bot Apr 15, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 npm audit signatures likely fails without package-lock.json

This repo has only pnpm-lock.yaml — no package-lock.json. The npm v10 docs state: "By default npm requires a package-lock or shrinkwrap in order to run the audit." Running npm audit signatures (which uses the same underlying arborist machinery) without a lockfile may exit with an error rather than silently passing.

Beyond the lockfile, pnpm's virtual store places packages under node_modules/.pnpm/ behind symlinks. npm's arborist walker is designed for npm's flat node_modules layout; with pnpm's structure it may only see the top-level symlinks (direct dependencies) and silently skip the full transitive dependency tree in .pnpm/, giving an incomplete audit even if it does not error out.

A pnpm-native alternative that doesn't require a package-lock.json:

- name: Registry Signatures Audit
  run: pnpm audit --audit-level=high

Or, if signature-provenance verification (not CVE checking) is the goal, generate a throwaway lockfile first:

- name: Registry Signatures Audit
  run: |
    npm install --package-lock-only --ignore-scripts
    npm audit signatures

Copy link
Copy Markdown
Contributor

@greptile-apps greptile-apps Bot Apr 15, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 Verification step doesn't exercise the CI command

The PR description's verification line pnpm audit signatures does not test the same code path as npm audit signatures in CI. As documented in pnpm/pnpm#7909, the pnpm CLI silently ignores signatures and falls back to a standard pnpm audit (a vulnerability check, not a signature check). So the manual verification confirms nothing about whether npm audit signatures will succeed or produce meaningful output in this pnpm project.

Comment on lines +32 to +33
Copy link
Copy Markdown
Contributor

@greptile-apps greptile-apps Bot Apr 15, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Security gate scope change: CVEs → registry signatures

pnpm audit --prod detected known CVEs in production dependencies. npm audit signatures verifies that package tarballs carry valid cryptographic signatures from the npm registry — a supply-chain integrity check, not a vulnerability check. The two are complementary but not interchangeable; after this change, CI will no longer catch packages with published CVEs.

If unblocking the HTTP 410 error is the immediate goal and CVE coverage should be preserved, you could run both:

Suggested change
- name: Registry Signatures Audit
run: npm audit signatures
- name: Registry Signatures Audit
run: |
npm audit signatures
pnpm audit --prod --audit-level=high || echo "::warning::pnpm audit failed (registry may be unavailable)"


test:
name: Functional Tests
Expand Down
Loading