subculture-collective/internet-id
1
0
Fork 0
Code Issues 2 Pull Requests 1 Actions Packages Projects Releases Wiki Activity

Resolve high-severity npm vulnerabilities and enforce audit in CI #131

Merged
Copilot merged 4 commits from copilot/resolve-npm-audit-vulnerabilities into main 2026-02-15 21:11:56 -06:00
Conversation 2 Commits 4 Files Changed 5 +956 -2075
Copilot commented 2026-02-15 18:33:47 -06:00 (Migrated from github.com)
Copy Link

66 vulnerabilities across the dependency tree (29 high-severity) were not blocking CI due to continue-on-error: true on audit steps.

Changes

Dependency updates

  • Ran npm audit fix --legacy-peer-deps on root and web packages
  • Removed unused ipfs-http-client dependency (high-severity parse-duration CVE)

CI enforcement

  • Added npm audit --audit-level=high to main CI workflow (backend and web jobs)
  • Removed continue-on-error: true from secret-security workflow audit step
  • Changed audit level from moderate to high in security workflow

Results

  • 66 vulnerabilities (29 high) → 43 vulnerabilities (0 high)
  • Remaining moderate/low vulnerabilities are in dev dependencies only (Hardhat, Lighthouse CI)
  • CI now fails on any high-severity vulnerabilities
  • Dependabot already configured for ongoing monitoring

Example CI step

- name: Security audit (high severity)
  run: npm audit --audit-level=high
Original prompt

This section details on the original issue you should resolve

<issue_title>Resolve 66 npm audit vulnerabilities and enforce in CI</issue_title>
<issue_description>## Summary
npm audit reports 66 vulnerabilities across the dependency tree (27 low, 10 moderate, 29 high). The CI pipeline uses continue-on-error: true for the audit step, so these are never surfaced as failures.

Current State

27 low | 10 moderate | 29 high
66 vulnerabilities total

The CI workflow .github/workflows/ci.yml runs npm audit but with continue-on-error: true, meaning it never blocks merges.

Proposed Remediation

  1. Immediate: Run npm audit fix to resolve auto-fixable vulnerabilities
  2. Manual upgrades: Review and update dependencies with breaking changes
  3. CI enforcement: Change continue-on-error to false for npm audit --audit-level=high
  4. Ongoing: Enable Dependabot or Renovate for automated dependency updates

Acceptance Criteria

  • High-severity vulnerabilities resolved or have documented exceptions
  • npm audit --audit-level=high passes cleanly
  • CI blocks on new high-severity vulnerabilities
  • Automated dependency update bot configured</issue_description>

Comments on the Issue (you are @copilot in this section)

Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

66 vulnerabilities across the dependency tree (29 high-severity) were not blocking CI due to `continue-on-error: true` on audit steps. ## Changes **Dependency updates** - Ran `npm audit fix --legacy-peer-deps` on root and web packages - Removed unused `ipfs-http-client` dependency (high-severity parse-duration CVE) **CI enforcement** - Added `npm audit --audit-level=high` to main CI workflow (backend and web jobs) - Removed `continue-on-error: true` from secret-security workflow audit step - Changed audit level from `moderate` to `high` in security workflow ## Results - 66 vulnerabilities (29 high) → 43 vulnerabilities (0 high) - Remaining moderate/low vulnerabilities are in dev dependencies only (Hardhat, Lighthouse CI) - CI now fails on any high-severity vulnerabilities - Dependabot already configured for ongoing monitoring ## Example CI step ```yaml - name: Security audit (high severity) run: npm audit --audit-level=high ``` <!-- START COPILOT ORIGINAL PROMPT --> <details> <summary>Original prompt</summary> > > ---- > > *This section details on the original issue you should resolve* > > <issue_title>Resolve 66 npm audit vulnerabilities and enforce in CI</issue_title> > <issue_description>## Summary > `npm audit` reports 66 vulnerabilities across the dependency tree (27 low, 10 moderate, 29 high). The CI pipeline uses `continue-on-error: true` for the audit step, so these are never surfaced as failures. > > ## Current State > ``` > 27 low | 10 moderate | 29 high > 66 vulnerabilities total > ``` > > The CI workflow `.github/workflows/ci.yml` runs `npm audit` but with `continue-on-error: true`, meaning it never blocks merges. > > ## Proposed Remediation > 1. **Immediate**: Run `npm audit fix` to resolve auto-fixable vulnerabilities > 2. **Manual upgrades**: Review and update dependencies with breaking changes > 3. **CI enforcement**: Change `continue-on-error` to `false` for `npm audit --audit-level=high` > 4. **Ongoing**: Enable Dependabot or Renovate for automated dependency updates > > ## Acceptance Criteria > - [ ] High-severity vulnerabilities resolved or have documented exceptions > - [ ] `npm audit --audit-level=high` passes cleanly > - [ ] CI blocks on new high-severity vulnerabilities > - [ ] Automated dependency update bot configured</issue_description> > > ## Comments on the Issue (you are @copilot in this section) > > <comments> > </comments> > </details> <!-- START COPILOT CODING AGENT SUFFIX --> - Fixes subculture-collective/internet-id#122 <!-- START COPILOT CODING AGENT TIPS --> --- ✨ Let Copilot coding agent [set things up for you](https://github.com/subculture-collective/internet-id/issues/new?title=✨+Set+up+Copilot+instructions&body=Configure%20instructions%20for%20this%20repository%20as%20documented%20in%20%5BBest%20practices%20for%20Copilot%20coding%20agent%20in%20your%20repository%5D%28https://gh.io/copilot-coding-agent-tips%29%2E%0A%0A%3COnboard%20this%20repo%3E&assignees=copilot) — coding agent works faster and does higher quality work when set up for your repo.
onnwee (Migrated from github.com) reviewed 2026-02-15 18:33:47 -06:00
copilot-pull-request-reviewer[bot] (Migrated from github.com) reviewed 2026-02-15 19:34:19 -06:00
copilot-pull-request-reviewer[bot] (Migrated from github.com) left a comment
Copy Link

Pull request overview

This PR addresses npm security vulnerabilities by updating dependencies and enforcing audit checks in CI. It resolves 29 high-severity vulnerabilities (reducing the total from 66 to 43 with 0 high-severity remaining) by running npm audit fix --legacy-peer-deps and removing the unused ipfs-http-client dependency.

Changes:

  • Removed unused ipfs-http-client dependency that had a high-severity parse-duration CVE
  • Updated multiple dependencies across root and web packages to resolve known vulnerabilities
  • Added npm audit --audit-level=high enforcement to CI workflows (backend and web jobs)
  • Changed security workflow audit from moderate to high level and removed continue-on-error: true

Reviewed changes

Copilot reviewed 3 out of 5 changed files in this pull request and generated no comments.

Show a summary per file
File Description
package.json Removed unused ipfs-http-client dependency
package-lock.json Updated AWS SDK, Smithy, Hardhat, and other dependencies to resolve vulnerabilities
web/package-lock.json Updated Next.js, Express, body-parser, and other web dependencies to patch vulnerabilities
.github/workflows/ci.yml Added security audit step to both backend and web jobs
.github/workflows/secret-security.yml Removed continue-on-error and changed audit level from moderate to high
Files not reviewed (1)
  • web/package-lock.json: Language not supported

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

## Pull request overview This PR addresses npm security vulnerabilities by updating dependencies and enforcing audit checks in CI. It resolves 29 high-severity vulnerabilities (reducing the total from 66 to 43 with 0 high-severity remaining) by running `npm audit fix --legacy-peer-deps` and removing the unused `ipfs-http-client` dependency. **Changes:** - Removed unused `ipfs-http-client` dependency that had a high-severity parse-duration CVE - Updated multiple dependencies across root and web packages to resolve known vulnerabilities - Added `npm audit --audit-level=high` enforcement to CI workflows (backend and web jobs) - Changed security workflow audit from moderate to high level and removed `continue-on-error: true` ### Reviewed changes Copilot reviewed 3 out of 5 changed files in this pull request and generated no comments. <details> <summary>Show a summary per file</summary> | File | Description | | ---- | ----------- | | `package.json` | Removed unused `ipfs-http-client` dependency | | `package-lock.json` | Updated AWS SDK, Smithy, Hardhat, and other dependencies to resolve vulnerabilities | | `web/package-lock.json` | Updated Next.js, Express, body-parser, and other web dependencies to patch vulnerabilities | | `.github/workflows/ci.yml` | Added security audit step to both backend and web jobs | | `.github/workflows/secret-security.yml` | Removed `continue-on-error` and changed audit level from moderate to high | </details> <details> <summary>Files not reviewed (1)</summary> * **web/package-lock.json**: Language not supported </details> --- 💡 <a href="/subculture-collective/internet-id/new/main/.github/instructions?filename=*.instructions.md" class="Link--inTextBlock" target="_blank" rel="noopener noreferrer">Add Copilot custom instructions</a> for smarter, more guided reviews. <a href="https://docs.github.com/en/copilot/customizing-copilot/adding-repository-custom-instructions-for-github-copilot" class="Link--inTextBlock" target="_blank" rel="noopener noreferrer">Learn how to get started</a>.
Sign in to join this conversation.
Reviewers
No Reviewers
onnwee
copilot-pull-request-reviewer[bot]
Labels
Clear labels
area: auth
Authentication & identity
 area: backend
Backend area
 area: billing
Billing/payments
 area: design
Design / UX
 area: devops
DevOps/infra
 area: docs
Documentation
 area: frontend
Frontend area
 area: project
Roadmap and project management
 area: search
Search/relevance
 area: security
Security & compliance
 area: testing
Testing/QA
 bug
Something isn't working
 dependencies
Pull requests that update a dependency file
 documentation
Improvements or additions to documentation
 duplicate
This issue or pull request already exists
 enhancement
New feature or request
 good first issue
Good for newcomers
 help wanted
Extra attention is needed
 invalid
This doesn't seem right
 javascript
Pull requests that update javascript code
 priority: high
Highest priority
 priority: low
Low priority
 priority: medium
Moderate priority
 question
Further information is requested
 status: done
Complete
 status: in-progress
In progress
 status: todo
Ready to start
 type: bug
Bug
 type: chore
Chore/Maintenance
 type: cleanup
type: enhancement
Enhancement
 type: feature
New feature
 type: improvement
type: planning
Roadmap / planning tasks
 type: refactor
Refactor
 type: research
Research/Spike
 type: security
type: testing
wontfix
This will not be worked on
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
onnwee
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: subculture-collective/internet-id#131
Delete Branch "copilot/resolve-npm-audit-vulnerabilities"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?