Skip to content

chore: add Dependabot and npm audit CI check#103

Open
kriscoleman wants to merge 1 commit intomainfrom
chore/vuln-automation
Open

chore: add Dependabot and npm audit CI check#103
kriscoleman wants to merge 1 commit intomainfrom
chore/vuln-automation

Conversation

@kriscoleman
Copy link
Copy Markdown
Member

@kriscoleman kriscoleman commented Mar 23, 2026

Summary

  • Adds .github/dependabot.yml to enable automated weekly npm dependency updates — all updates are grouped into a single Monday PR to reduce noise (matches the npm_and_yarn group pattern already used in this repo's commit history)
  • Adds an npm audit --audit-level=high step to ci.yml so any HIGH or CRITICAL severity vulnerability introduced by a future dependency change will fail CI before merging

Test plan

  • Dependabot appears under Settings → Code security → Dependabot after merging
  • CI audit step passes on the current clean dependency tree
  • A PR with a known HIGH vuln would fail the audit step

🤖 Generated with Claude Code

@kriscoleman @claude
chore: add Dependabot and npm audit CI check
9d7a23d 
- Add .github/dependabot.yml to automate weekly npm dependency updates,
  grouped into a single PR per week to reduce noise
- Add npm audit step to ci.yml that fails on HIGH or CRITICAL severity
  vulnerabilities, catching regressions before they merge

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@kriscoleman
Copy link
Copy Markdown
Member Author

kriscoleman commented Mar 23, 2026

merge after #102

@kriscoleman
Copy link
Copy Markdown
Member Author

kriscoleman commented Mar 24, 2026

just needs a rebase and it should pass now

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@kriscoleman