fix(audit-action): derive prod closure from lockfile instead of pnpm list#15
Merged
cherviakovtaskworld merged 3 commits intoJul 3, 2026
Merged
Conversation
…list pnpm list --prod --parseable --depth=Infinity enumerates the shared .pnpm store at the workspace root, so under a workspace or shamefullyHoist the --prod filter leaks dev/build packages (rollup, esbuild, babel, ...) and the audit over-reports vulnerabilities. The --json variant instead deduplicates subtrees and under-reports. Replace the pnpm list enumeration with a walk of pnpm-lock.yaml: resolve the importer for the target path and traverse the snapshots graph from its production (and optional dev) dependencies. This is hoisting- and store-layout-independent. Adds yaml as a dependency. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
The self-test pinned pnpm/action-setup to 8.15.6, so pnpm install regenerated the lockfile in the v6 format (no importers section for a single-package repo). Consumers (tw-frontend, tw-backend) run pnpm 10 and commit v9 lockfiles, which the new lockfile parser targets. Declare packageManager: pnpm@10.33.0 and let pnpm/action-setup read it. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
pnpm 10 defaults auto-install-peers to true, but the committed lockfile records false, so frozen installs failed with ERR_PNPM_LOCKFILE_CONFIG_MISMATCH. Declare it explicitly in .npmrc. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
VulnerabilitiesVulnerabilities were found in audit-action.
|
ThisIsManta
approved these changes
Jul 3, 2026
cherviakovtaskworld
deleted the
cherviakovtaskworld/fix-prod-scope-lockfile
branch
July 3, 2026 07:14
cherviakovtaskworld
added a commit
that referenced
this pull request
Jul 3, 2026
* ci(audit-action): fix release trigger to main and bump to 3.2.1 The release workflow triggered on pull_request to `master`, but the repository's default branch is `main`, so it never fired — no v3.2.x tag was ever created despite package.json sitting at 3.2.0. Point the trigger at `main` and bump the patch version so the lockfile-closure fix (#15) can be published. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> * ci(audit-action): skip release cleanly when version unchanged Gate the release step on an output flag instead of letting `grep -q` fail the job: merges to main that don't bump package.json now skip the release steps (green) rather than reporting a failed workflow run. Add a `merged == true` job guard so closed-but-unmerged PRs don't trigger it, and let workflow_dispatch force a release of the current version. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
pnpmBulkAuditorenumerates the dependency set withpnpm list --prod --parseable --depth=Infinity. In a pnpm workspace (or withshamefullyHoist: true),--parseablereports physical paths from the shared.pnpmstore at the workspace root, which contains every package (dev + prod,all members). The
--prodfilter is effectively bypassed, so the audit countsvulnerabilities in dev/build-time tooling as production findings.
Observed on
tw-frontend(path: ./client): the audit reported 8 high, butpnpm why --prodconfirms 7 of them come from dev-only packages (rollup,serialize-javascript,flatted,fast-uri,@babel/plugin-transform-modules-systemjs).Only
linkify-itis a genuine production dependency.The pre-3.1.3
--json --depth=Infinityapproach is not a fix either: pnpmdeduplicates subtrees in that output (
deduped: true, no nesteddependencies), so packages reachable only through deduped nodes are dropped andthe audit under-reports.
Solution
Collect the dependency closure from
pnpm-lock.yaml, the only source that isindependent of hoisting and store layout:
findLockfilewalks up from the target path to the workspacepnpm-lock.yaml.toImporterKeymaps the target path to itsimporters.<key>entry.collectFromLockfileseeds from the importer'sdependencies+optionalDependencies(plusdevDependencieswheninclude-dev-depsis set)and walks the
snapshotsgraph, stripping peer/patch suffixes(
1.2.3(react@18.3.1)→1.2.3) and skippinglink:/file:/git:refs.mapToAuditMetadata, the bulk-advisory fetch, and thedetailed/include-dev-depsoptions are unchanged.
yamlis added as a runtime dependency (bundled intodist/index.js).Verification
pnpm test— 37 passing. New unit tests covertoImporterKey, transitiveclosure, dev-subtree inclusion/exclusion, suffix stripping,
link:skipping,and a missing-importer error; the end-to-end
pnpmBulkAuditortests now drive alockfile fixture instead of
pnpm listoutput.tw-frontendlockfile (clientimporter): closuresize drops from 1097 (store enumeration) to 620 (actual prod closure);
rollup/serialize-javascript/flatted/fast-uri/@babel/*are correctlyabsent,
linkify-itandmarkdown-itcorrectly present.