fix(ci): remove broken npm self-install and remediate CVEs

[ryanbas21]

JIRA Ticket

N/A

Description

The publish-or-pr job used npm install npm@latest -g which fails on Node 22.22.2 due to missing promise-retry module. The setup action already handles this via corepack — these lines were redundant.

Also bumps effect (^3.20.0), vite (^7.3.2) catalogs and adds pnpm overrides for path-to-regexp (^8.4.0) and picomatch (^4.0.4/^2.3.2) to resolve Mend-flagged CVEs.

Summary by CodeRabbit

• Chores
  • Simplified CI/CD publishing workflow by removing npm version checks and enforced upgrade steps.
  • Added and adjusted dependency pins to stabilize package resolution (picomatch variants and undici).
  • Updated development tooling versions in the workspace catalog (effect and vite) for smoother local builds and consistency.

[changeset-bot]

⚠️ No Changeset found

Latest commit: 13b0ee2

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 3278134c-5364-4959-bdfe-4caf2e4b7307

📥 Commits

Reviewing files that changed from the base of the PR and between 119386b and 13b0ee2.

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (1)

• package.json

✅ Files skipped from review due to trivial changes (1)

• package.json

---

📝 Walkthrough

Walkthrough

Removed npm install/version-print steps from the publish workflow; added pnpm overrides for picomatch versions and kept undici pinned; bumped effect and vite versions in the pnpm workspace catalog.

Changes

Cohort / File(s)	Summary
GitHub Actions Workflow /.github/workflows/publish.yml	Removed steps that installed global npm and printed npm --version from the publish-or-pr job; flow now proceeds from setup directly to the changesets/action@v1 publish step.
Package Dependency Overrides package.json	Added pnpm.overrides entries pinning picomatch@>=4 → ^4.0.4 and picomatch@<3 → ^2.3.2; preserved existing undici@^7 → ^7.24.0.
Workspace Catalog Versions pnpm-workspace.yaml	Bumped workspace catalog versions: effect from ^3.19.0 → ^3.20.0 and vite from ^7.3.1 → ^7.3.2.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Possibly related issues

• @forgerock/pingone-scripts-0.0.0.tgz: 6 vulnerabilities (highest severity is: 7.5) #360: Addresses the same transitive dependency concerns by pinning picomatch and bumping effect/vite versions.

Possibly related PRs

• chore: fix-dependencies #548: Edits pnpm.overrides to pin undici@^7 to ^7.24.0 (dependency-management overlap).
• chore: update-npm-version-in-ci #497: Modifies the publish workflow’s npm install/version-check steps (directly related workflow changes).
• chore: update-publish #498: Also updates the publish workflow and how npm/pnpm are invoked during publishing.

Suggested reviewers

• cerebrl
• ancheetah

"I hopped through CI with a twitch and a grin,
removed a step, let the publish begin.
I nudged versions, pinned picomatch with care,
bumped vite and effect — a tidy affair.
🐇✨"

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately reflects the main changes: removing the broken npm self-install step from CI and addressing CVEs through dependency updates and overrides.
Description check	✅ Passed	The description covers the key changes (npm removal reason, dependency bumps, CVE remediation) but lacks explicit confirmation of changeset addition as requested by the template.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix-ci-again

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[nx-cloud]

View your CI Pipeline Execution ↗ for commit 13b0ee2

Command	Status	Duration	Result
nx run-many -t build --no-agents	✅ Succeeded	<1s	View ↗
nx affected -t build lint test typecheck e2e-ci	✅ Succeeded	59s	View ↗

---

☁️ Nx Cloud last updated this comment at 2026-04-10 14:37:08 UTC

[coderabbitai]

🧹 Nitpick comments (1)

package.json (1)

136-138: Consider scoping overrides to target major versions explicitly as a preventive best practice.

The overrides on lines 136–138 use broad selectors (path-to-regexp globally, and picomatch@<3) that could unintentionally force major version jumps for older API requesters. Current lockfile inspection shows all active requests align with the specified overrides (path-to-regexp major 8, picomatch majors 2–4), so there is no immediate breakage. However, to guard against future transitive dependency additions that might request older major versions, prefer explicitly scoped selectors:

Suggested approach

   "pnpm": {
     "overrides": {
       "rollup": "^4.59.0",
       "undici@^7": "^7.24.0",
-      "path-to-regexp": "^8.4.0",
+      "path-to-regexp@^8": "^8.4.0",
       "picomatch@>=4": "^4.0.4",
-      "picomatch@<3": "^2.3.2"
+      "picomatch@^2": "^2.3.2"
     }
   }

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@package.json` around lines 136 - 138, The overrides in package.json use broad
selectors ("path-to-regexp", "picomatch@>=4", "picomatch@<3") which can
accidentally match future major-version requests; narrow them to explicit
major-range selectors to avoid forcing larger major bumps—for example change the
override key "path-to-regexp" to "path-to-regexp@^8" and split the picomatch
entries into explicit major targets like "picomatch@^4" and "picomatch@^2" (or
other specific major ranges you intend) so only those major versions are
overridden rather than any future older/newer majors.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@package.json`:
- Around line 136-138: The overrides in package.json use broad selectors
("path-to-regexp", "picomatch@>=4", "picomatch@<3") which can accidentally match
future major-version requests; narrow them to explicit major-range selectors to
avoid forcing larger major bumps—for example change the override key
"path-to-regexp" to "path-to-regexp@^8" and split the picomatch entries into
explicit major targets like "picomatch@^4" and "picomatch@^2" (or other specific
major ranges you intend) so only those major versions are overridden rather than
any future older/newer majors.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: ea32ffae-3db7-4af1-8fac-aefdd779190a

📥 Commits

Reviewing files that changed from the base of the PR and between 037b012 and 119386b.

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (3)

• .github/workflows/publish.yml
• package.json
• pnpm-workspace.yaml

💤 Files with no reviewable changes (1)

• .github/workflows/publish.yml

[nx-cloud]

Important

At least one additional CI pipeline execution has run since the conclusion below was written and it may no longer be applicable.

Nx Cloud has identified a possible root cause for your failed CI:

This CI failure appears to be related to the environment or external dependencies rather than your code changes.

No code changes were suggested for this issue.

Trigger a rerun:

View detailed reasoning on Nx Cloud ↗

_{🎓 Learn more about Self-Healing CI on nx.dev}

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 14.89%. Comparing base (5d6747a) to head (13b0ee2).
⚠️ Report is 19 commits behind head on main.

❌ Your project status has failed because the head coverage (14.89%) is below the target coverage (40.00%). You can increase the head coverage or adjust the target coverage.

Additional details and impacted files

@@             Coverage Diff             @@
##             main     #567       +/-   ##
===========================================
- Coverage   70.90%   14.89%   -56.02%     
===========================================
  Files          53      153      +100     
  Lines        2021    26299    +24278     
  Branches      377     1067      +690     
===========================================
+ Hits         1433     3916     +2483     
- Misses        588    22383    +21795     

see 101 files with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[pkg-pr-new]

Open in StackBlitz

@forgerock/davinci-client

pnpm add https://pkg.pr.new/ForgeRock/ping-javascript-sdk/@forgerock/davinci-client@567

@forgerock/device-client

pnpm add https://pkg.pr.new/ForgeRock/ping-javascript-sdk/@forgerock/device-client@567

@forgerock/journey-client

pnpm add https://pkg.pr.new/ForgeRock/ping-javascript-sdk/@forgerock/journey-client@567

@forgerock/oidc-client

pnpm add https://pkg.pr.new/ForgeRock/ping-javascript-sdk/@forgerock/oidc-client@567

@forgerock/protect

pnpm add https://pkg.pr.new/ForgeRock/ping-javascript-sdk/@forgerock/protect@567

@forgerock/sdk-types

pnpm add https://pkg.pr.new/ForgeRock/ping-javascript-sdk/@forgerock/sdk-types@567

@forgerock/sdk-utilities

pnpm add https://pkg.pr.new/ForgeRock/ping-javascript-sdk/@forgerock/sdk-utilities@567

@forgerock/iframe-manager

pnpm add https://pkg.pr.new/ForgeRock/ping-javascript-sdk/@forgerock/iframe-manager@567

@forgerock/sdk-logger

pnpm add https://pkg.pr.new/ForgeRock/ping-javascript-sdk/@forgerock/sdk-logger@567

@forgerock/sdk-oidc

pnpm add https://pkg.pr.new/ForgeRock/ping-javascript-sdk/@forgerock/sdk-oidc@567

@forgerock/sdk-request-middleware

pnpm add https://pkg.pr.new/ForgeRock/ping-javascript-sdk/@forgerock/sdk-request-middleware@567

@forgerock/storage

pnpm add https://pkg.pr.new/ForgeRock/ping-javascript-sdk/@forgerock/storage@567

commit: 13b0ee2

[github-actions]

Deployed c4df415 to https://ForgeRock.github.io/ping-javascript-sdk/pr-567/c4df4155d0066c8375f564c88ad9c32b6133773b branch gh-pages in ForgeRock/ping-javascript-sdk

[github-actions]

📦 Bundle Size Analysis

📦 Bundle Size Analysis

🚨 Significant Changes

🔻 @forgerock/device-client - 0.0 KB (-9.7 KB, -100.0%)
🔻 @forgerock/journey-client - 0.0 KB (-87.8 KB, -100.0%)
🔺 @forgerock/journey-client - 89.2 KB (+1.4 KB, +1.6%)

📊 Minor Changes

📉 @forgerock/device-client - 9.7 KB (-0.0 KB)
📈 @forgerock/davinci-client - 41.6 KB (+0.3 KB)

➖ No Changes

➖ @forgerock/oidc-client - 24.9 KB
➖ @forgerock/sdk-utilities - 11.2 KB
➖ @forgerock/sdk-types - 7.9 KB
➖ @forgerock/protect - 150.1 KB
➖ @forgerock/storage - 1.5 KB
➖ @forgerock/sdk-oidc - 4.8 KB
➖ @forgerock/sdk-request-middleware - 4.5 KB
➖ @forgerock/sdk-logger - 1.6 KB
➖ @forgerock/iframe-manager - 2.4 KB

---

14 packages analyzed • Baseline from latest main build

Legend

🆕 New package
🔺 Size increased
🔻 Size decreased
➖ No change

ℹ️ How bundle sizes are calculated

• Current Size: Total gzipped size of all files in the package's dist directory
• Baseline: Comparison against the latest build from the main branch
• Files included: All build outputs except source maps and TypeScript build cache
• Exclusions: .map, .tsbuildinfo, and .d.ts.map files

---

_{🔄 Updated automatically on each push to this PR}