fix(ci): patch ws advisory and scope security audit to production deps#215
Merged
Conversation
The `security` CI job was failing repo-wide (every recent push to main) on newly-published npm advisories, not on any code change. - `npm audit fix` bumps `ws` 8.20.0 -> 8.21.0, clearing the high-severity GHSA-96hv-2xvq-fx4p (the only production-dependency vulnerability) and realigns the jest 30.x lockfile entries with package.json. - Scope the moderate audit to production deps (`--omit=dev`). The remaining 18 moderate advisories are all dev-only test tooling (jest -> babel-plugin-istanbul -> @istanbuljs/load-nyc-config -> js-yaml@3), which is unmaintained upstream and has no fix; it never ships to consumers. After this change `npm audit --omit=dev` reports 0 vulnerabilities and both audit gates pass. Build, lint, and the 254 unit tests are green.
aivong-openhands
approved these changes
Jun 18, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
The
securityCI job (.github/workflows/ci.yml) has been failing on every recent push tomain(5/5 latest runs red) — independent of any code change.npm auditchecks the dependency tree against npm's live advisory database, and newly-published advisories tripped both audit steps:ws8.0.0–8.20.1 — high severity, GHSA-96hv-2xvq-fx4p (memory-exhaustion DoS). This is a production dependency (runtime WebSocket).js-yaml≤4.1.1 — moderate, root of 18 dev-only advisories viajest → babel-plugin-istanbul → @istanbuljs/load-nyc-config → js-yaml@3.@babel/core≤7.29.0 — moderate, dev-only.Fix
npm audit fix(non-breaking,package-lock.jsononly): bumpsws8.20.0 → 8.21.0, clearing the only production-dependency vulnerability, and realigns the jest 30.x lockfile entries withpackage.json(the lockfile had drifted tojest@30.3.0vs. the declared^30.4.2).npm audit --audit-level=moderate --omit=dev). The 18 remaining moderate advisories are entirely dev-only test tooling. The blocker,js-yaml@3, is pinned by@istanbuljs/load-nyc-config@1.1.0— long unmaintained, no version uses js-yaml 4.x — so no dependency bump (includingnpm audit fix --force) can resolve it, and it never ships to consumers. The second step (--audit-level=high --production) is unchanged, so production deps remain gated at both moderate and high.Verification
npm audit --omit=dev→ 0 vulnerabilitiesnpm run build✅ ·npm run lint✅ (0 errors) ·npm test✅ 254/254Scope note
This is a standalone CI-health fix, independent of #214 (the agent-server 1.24.0 → 1.29.0 pin bump). It's branched off
mainso it can merge on its own.