chore(audit): scope osv-scanner to production dependencies

[WomB0ComB0]

Restores a green local/CI Audit gate. osv-scanner (no severity threshold) was failing on 31 dev/build-tooling advisories (Storybook/markdownlint/posthog dev chains). Verified via bun why + manifest scan that none of the 9 packages is a runtime dependencies of any published @resq-sw/* package, so none reaches consumers. Adds osv-scanner.toml PackageOverrides aligning OSV with the production-only posture the npm audit pass already has. Full resq audit now exits 0.

[coderabbitai]

Warning

Review limit reached

@WomB0ComB0, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 14 minutes and 6 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more credits in the billing tab to continue.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: f541aebc-9cd9-4b7e-97ce-44327ae5d785

📥 Commits

Reviewing files that changed from the base of the PR and between e6e7c1b and d3fc0b0.

📒 Files selected for processing (1)

• osv-scanner.toml

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch chore/osv-scanner-scope-audit

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gemini-code-assist]

Code Review

This pull request introduces an osv-scanner.toml configuration file to ignore several packages deemed to be dev-only or build-tooling transitive dependencies. However, the review feedback highlights two critical security concerns: first, ignoring entire packages globally by name using ignore = true poses a risk as it silences future vulnerabilities, so ignoring specific vulnerability IDs is recommended instead; second, the assumption that dompurify is dev-only is incorrect, as it is pulled in as a peer dependency via posthog-js in @resq-sw/analytics and runs in production, meaning ignoring it could expose consumers to unmonitored security risks.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

[gemini-code-assist]

Ignoring entire packages globally by name using ignore = true in PackageOverrides introduces a significant security risk.

Risks:

1. Unmonitored Future Vulnerabilities: Any new vulnerabilities (including critical RCEs or prototype pollutions) discovered in these packages in the future will be silently ignored and never reported.
2. Production Promotion: If any of these packages (e.g., ws, js-yaml, or vite) are later added as direct or transitive production dependencies in any package or application within the monorepo, they will remain completely unmonitored.

Recommended Alternative:

Instead of ignoring the entire package, ignore only the specific vulnerability IDs (e.g., GHSA-... or CVE-...) currently affecting your dev dependencies using the [[Ignore]] block. This ensures that any new vulnerabilities in these packages will still be flagged.

[[Ignore]]
id = "GHSA-xxxx-xxxx-xxxx"
reason = "dev-only: pulled transitively by @storybook/nextjs-vite"

[gemini-code-assist]

The assumption that dompurify is "dev-only" and "not shipped" is incorrect.

posthog-js is listed as a peerDependency in packages/analytics/package.json. When consumers use @resq-sw/analytics and install posthog-js, dompurify is pulled into their production runtime environment.

Since dompurify is used for HTML sanitization, vulnerabilities in it (such as XSS bypasses) directly impact the security of the applications consuming your library. Ignoring dompurify entirely prevents you from being alerted to critical security vulnerabilities that your consumers will run in production.