Skip to content

chore(deps): bump react and @types/react in /apps/web #24

chore(deps): bump react and @types/react in /apps/web

chore(deps): bump react and @types/react in /apps/web #24

Workflow file for this run

name: Security
# Dependency and supply-chain security scanning. Surfaces known-vulnerable
# packages automatically on PRs and on a weekly schedule (so advisories
# published after a merge are still caught).
on:
pull_request:
branches: ["**"]
push:
branches: ["main"]
schedule:
- cron: "27 4 * * 1"
workflow_dispatch:
permissions:
contents: read
concurrency:
group: security-${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
jobs:
dependency-review:
name: Dependency Review
runs-on: ubuntu-latest
if: github.event_name == 'pull_request'
# Non-blocking: requires the repository "Dependency graph" setting to be
# enabled (Settings > Code security). Until then this reports without
# failing CI; npm audit + Dependabot still cover dependency vulnerabilities.
continue-on-error: true
permissions:
contents: read
pull-requests: write
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Dependency Review
uses: actions/dependency-review-action@v4
with:
fail-on-severity: high
comment-summary-in-pr: on-failure
npm-audit:
name: npm audit (${{ matrix.app }})
runs-on: ubuntu-latest
timeout-minutes: 10
strategy:
fail-fast: false
matrix:
app: ["server", "web"]
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Setup Node
uses: actions/setup-node@v4
with:
node-version: "20"
- name: Audit production dependencies
working-directory: apps/${{ matrix.app }}
# Fail the build on critical advisories; report (non-fatal) high and below.
run: |
echo "::group::High+ advisories (informational)"
npm audit --omit=dev --audit-level=high || true
echo "::endgroup::"
echo "Enforcing gate on critical advisories:"
npm audit --omit=dev --audit-level=critical
pip-audit:
name: pip audit (agent)
runs-on: ubuntu-latest
timeout-minutes: 10
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Setup Python
uses: actions/setup-python@v5
with:
python-version: "3.12"
- name: Install pip-audit
run: pip install pip-audit
- name: Audit agent requirements
working-directory: apps/agent
# Report findings without blocking merges: fixes for transitive
# advisories (e.g. starlette via FastAPI) require coordinated, tested
# dependency bumps that Dependabot proposes as isolated PRs. The audit
# output stays visible in the job log.
run: pip-audit --requirement requirements.txt --desc || true