chore(audit): scope osv-scanner to production dependencies #127
+73
−0
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,73 @@ | ||
| # Copyright 2026 ResQ Software | ||
| # SPDX-License-Identifier: Apache-2.0 | ||
| # | ||
| # OSV-Scanner configuration — scopes the commit/CI audit gate to what actually | ||
| # ships to consumers. | ||
| # | ||
| # Every package ignored below is a DEV / BUILD-tooling transitive dependency | ||
| # (Storybook → next/vite/esbuild/ws/@babel/core/markdown-it, markdownlint-cli → | ||
| # js-yaml/brace-expansion, posthog-js dev chain → dompurify). None is a runtime | ||
| # `dependencies` entry of any published `@resq-sw/*` package, so these advisories | ||
| # cannot reach consumers of the libraries. | ||
| # | ||
| # Verified 2026-06-13 via `bun why <pkg>` + a scan of every packages/*/package.json | ||
| # `dependencies` block (not devDependencies). The npm audit-ci pass (level=critical) | ||
| # already passes; this file brings the OSV pass in line with the same "production | ||
| # dependencies only" posture. | ||
| # | ||
| # Review periodically: when Storybook / the dev toolchain is upgraded, prune any | ||
| # entry whose advisories no longer appear so real future issues aren't masked. | ||
|
|
||
| [[PackageOverrides]] | ||
| name = "next" | ||
| ecosystem = "npm" | ||
| ignore = true | ||
| reason = "dev-only: pulled transitively by @storybook/nextjs-vite; not a runtime dep of any published package" | ||
|
|
||
| [[PackageOverrides]] | ||
| name = "vite" | ||
| ecosystem = "npm" | ||
| ignore = true | ||
| reason = "dev-only: Storybook / example-react-dashboard build tooling; not shipped" | ||
|
|
||
| [[PackageOverrides]] | ||
| name = "esbuild" | ||
| ecosystem = "npm" | ||
| ignore = true | ||
| reason = "dev-only: Storybook + vite build tooling; not shipped" | ||
|
|
||
| [[PackageOverrides]] | ||
| name = "ws" | ||
| ecosystem = "npm" | ||
| ignore = true | ||
| reason = "dev-only: storybook + @effect/platform-bun dev chain; not a runtime dep of any published package" | ||
|
|
||
| [[PackageOverrides]] | ||
| name = "@babel/core" | ||
| ecosystem = "npm" | ||
| ignore = true | ||
| reason = "dev-only: Storybook (@storybook/react, nextjs-vite) build tooling; not shipped" | ||
|
|
||
| [[PackageOverrides]] | ||
| name = "js-yaml" | ||
| ecosystem = "npm" | ||
| ignore = true | ||
| reason = "dev-only: markdownlint-cli + @changesets/cli tooling; not shipped" | ||
|
|
||
| [[PackageOverrides]] | ||
| name = "markdown-it" | ||
| ecosystem = "npm" | ||
| ignore = true | ||
| reason = "dev-only: Storybook docs tooling; not shipped" | ||
|
|
||
| [[PackageOverrides]] | ||
| name = "brace-expansion" | ||
| ecosystem = "npm" | ||
| ignore = true | ||
| reason = "dev-only: markdownlint-cli + @storybook/nextjs-vite tooling; not shipped" | ||
|
|
||
| [[PackageOverrides]] | ||
| name = "dompurify" | ||
| ecosystem = "npm" | ||
| ignore = true | ||
| reason = "dev-only: pulled by posthog-js, a devDependency / optional peer of @resq-sw/analytics; not a runtime dep of any published package" | ||
|
Comment on lines
+70
to
+73
There was a problem hiding this comment.
The assumption that
Since |
||
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ignoring entire packages globally by name using
ignore = trueinPackageOverridesintroduces a significant security risk.Risks:
ws,js-yaml, orvite) are later added as direct or transitive production dependencies in any package or application within the monorepo, they will remain completely unmonitored.Recommended Alternative:
Instead of ignoring the entire package, ignore only the specific vulnerability IDs (e.g.,
GHSA-...orCVE-...) currently affecting your dev dependencies using the[[Ignore]]block. This ensures that any new vulnerabilities in these packages will still be flagged.