chore: move flaky dependency audits out of lint job#227
Conversation
![greptile-apps[bot]](https://avatars.githubusercontent.com/in/867647?s=60&v=4){kind=small}
| - name: Audit npm dependencies | ||
| working-directory: frontend | ||
| run: | | ||
| for attempt in 1 2 3; do | ||
| npm audit --omit=dev --audit-level=moderate && exit 0 | ||
| echo "::warning::npm audit attempt $attempt failed (network?); retrying in 15s" | ||
| sleep 15 | ||
| done | ||
| echo "::error::npm audit failed after 3 attempts" | ||
| exit 1 |
There was a problem hiding this comment.
Both npm audit and pip-audit exit non-zero for two distinct reasons: a transient network error and an actual vulnerability finding. The retry loop treats both identically, so when a real CVE is detected the job will silently retry it twice more (burning ~30 s) before finally failing with the misleading banner npm audit failed after 3 attempts instead of the audit's own vulnerability report. The (network?) hint in the warning will actively mislead anyone trying to diagnose a real security hit.
The same logic applies to the pip-audit retry block above (lines 82-89).
Prompt To Fix With AI
This is a comment left during a code review.
Path: .github/workflows/ci.yml
Line: 102-111
Comment:
**Retry loop can't distinguish network errors from vulnerability findings**
Both `npm audit` and `pip-audit` exit non-zero for *two* distinct reasons: a transient network error and an actual vulnerability finding. The retry loop treats both identically, so when a real CVE is detected the job will silently retry it twice more (burning ~30 s) before finally failing with the misleading banner `npm audit failed after 3 attempts` instead of the audit's own vulnerability report. The `(network?)` hint in the warning will actively mislead anyone trying to diagnose a real security hit.
The same logic applies to the `pip-audit` retry block above (lines 82-89).
How can I resolve this? If you propose a fix, please make it concise.
|
1 participant
Greptile Summary
This PR extracts the
pip-auditandnpm auditsteps from the requiredlintjob into a new standalonedependency-auditjob, and wraps each audit command in a 3-attempt retry loop to absorb transient registry timeouts. The intent is to prevent a flaky network call from blocking the lint gate and therefore the downstream test jobs.dependency-auditjob is correctly decoupled fromlintand from all test jobs, so a registry outage can no longer cascade into a CI blockage.Confidence Score: 4/5
Safe to merge — the change correctly isolates flaky network calls from the required lint gate, and the overall CI flow remains sound.
The restructuring is straightforward and achieves its goal. The retry loops treat a real vulnerability finding the same as a network error, causing redundant retries and a misleading failure message, but the job still fails correctly when a CVE is present.
The retry logic in the dependency-audit job steps (lines 82-111) is worth a second look regarding how failures are surfaced to the team.
Important Files Changed
Prompt To Fix All With AI
Reviews (1): Last reviewed commit: "ci: move flaky dependency audits out of ..." | Re-trigger Greptile