feat(ci): audit NPM packages on PR (firecrawl#1947)

mogery · web-flow · commit 2b3b871f4854 · 2025-08-10T15:36:01.000+02:00
diff --git a/.github/workflows/npm-audit.yml b/.github/workflows/npm-audit.yml
@@ -0,0 +1,24 @@
+name: Audit NPM Packages
+
+on:
+  pull_request:
+    branches:
+      - main
+
+jobs:
+  audit:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Install pnpm
+        uses: pnpm/action-setup@v4
+        with:
+          version: 10
+      - name: Audit NPM Packages
+        run: |
+          pnpm dlx audit-ci@^7 --directory apps/api --config apps/api/audit-ci.jsonc
+          pnpm dlx audit-ci@^7 --directory apps/playwright-service-ts --config apps/playwright-service-ts/audit-ci.jsonc
+          pnpm dlx audit-ci@^7 --directory apps/js-sdk --config apps/js-sdk/audit-ci.jsonc
+          pnpm dlx audit-ci@^7 --directory apps/js-sdk/firecrawl --config apps/js-sdk/firecrawl/audit-ci.jsonc
+          pnpm dlx audit-ci@^7 --directory apps/test-suite --config apps/test-suite/audit-ci.jsonc
+          pnpm dlx audit-ci@^7 --directory apps/ui/ingestion-ui --config apps/ui/ingestion-ui/audit-ci.jsonc
diff --git a/apps/api/audit-ci.jsonc b/apps/api/audit-ci.jsonc
@@ -0,0 +1,12 @@
+{
+    "$schema": "https://github.com/IBM/audit-ci/raw/main/docs/schema.json",
+    "low": true,
+    "allowlist": [
+        {
+            "GHSA-3gc7-fjrx-p6mg|x402-express>@coinbase/cdp-sdk>@solana/spl-token>@solana/buffer-layout-utils>bigint-buffer": {
+                "active": true,
+                "notes": "Vulnerable code path is never called via the x402-express package."
+            }
+        }
+    ]
+}
diff --git a/apps/js-sdk/audit-ci.jsonc b/apps/js-sdk/audit-ci.jsonc
@@ -0,0 +1,4 @@
+{
+    "$schema": "https://github.com/IBM/audit-ci/raw/main/docs/schema.json",
+    "low": true
+}
diff --git a/apps/js-sdk/firecrawl/audit-ci.jsonc b/apps/js-sdk/firecrawl/audit-ci.jsonc
@@ -0,0 +1,4 @@
+{
+    "$schema": "https://github.com/IBM/audit-ci/raw/main/docs/schema.json",
+    "low": true
+}
diff --git a/apps/playwright-service-ts/audit-ci.jsonc b/apps/playwright-service-ts/audit-ci.jsonc
@@ -0,0 +1,4 @@
+{
+    "$schema": "https://github.com/IBM/audit-ci/raw/main/docs/schema.json",
+    "low": true
+}
diff --git a/apps/test-suite/audit-ci.jsonc b/apps/test-suite/audit-ci.jsonc
@@ -0,0 +1,4 @@
+{
+    "$schema": "https://github.com/IBM/audit-ci/raw/main/docs/schema.json",
+    "low": true
+}
diff --git a/apps/ui/ingestion-ui/audit-ci.jsonc b/apps/ui/ingestion-ui/audit-ci.jsonc
@@ -0,0 +1,4 @@
+{
+    "$schema": "https://github.com/IBM/audit-ci/raw/main/docs/schema.json",
+    "low": true
+}

-Original file line number
+Diff line change
@@ @@ -0,0 +1,4 @@ @@
 +{
 +    "$schema": "https://github.com/IBM/audit-ci/raw/main/docs/schema.json",
 +    "low": true
 +}