chore(deps): bump react and @types/react in /apps/web #24
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Security | |
| # Dependency and supply-chain security scanning. Surfaces known-vulnerable | |
| # packages automatically on PRs and on a weekly schedule (so advisories | |
| # published after a merge are still caught). | |
| on: | |
| pull_request: | |
| branches: ["**"] | |
| push: | |
| branches: ["main"] | |
| schedule: | |
| - cron: "27 4 * * 1" | |
| workflow_dispatch: | |
| permissions: | |
| contents: read | |
| concurrency: | |
| group: security-${{ github.workflow }}-${{ github.ref }} | |
| cancel-in-progress: true | |
| jobs: | |
| dependency-review: | |
| name: Dependency Review | |
| runs-on: ubuntu-latest | |
| if: github.event_name == 'pull_request' | |
| # Non-blocking: requires the repository "Dependency graph" setting to be | |
| # enabled (Settings > Code security). Until then this reports without | |
| # failing CI; npm audit + Dependabot still cover dependency vulnerabilities. | |
| continue-on-error: true | |
| permissions: | |
| contents: read | |
| pull-requests: write | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - name: Dependency Review | |
| uses: actions/dependency-review-action@v4 | |
| with: | |
| fail-on-severity: high | |
| comment-summary-in-pr: on-failure | |
| npm-audit: | |
| name: npm audit (${{ matrix.app }}) | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 10 | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| app: ["server", "web"] | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - name: Setup Node | |
| uses: actions/setup-node@v4 | |
| with: | |
| node-version: "20" | |
| - name: Audit production dependencies | |
| working-directory: apps/${{ matrix.app }} | |
| # Fail the build on critical advisories; report (non-fatal) high and below. | |
| run: | | |
| echo "::group::High+ advisories (informational)" | |
| npm audit --omit=dev --audit-level=high || true | |
| echo "::endgroup::" | |
| echo "Enforcing gate on critical advisories:" | |
| npm audit --omit=dev --audit-level=critical | |
| pip-audit: | |
| name: pip audit (agent) | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 10 | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - name: Setup Python | |
| uses: actions/setup-python@v5 | |
| with: | |
| python-version: "3.12" | |
| - name: Install pip-audit | |
| run: pip install pip-audit | |
| - name: Audit agent requirements | |
| working-directory: apps/agent | |
| # Report findings without blocking merges: fixes for transitive | |
| # advisories (e.g. starlette via FastAPI) require coordinated, tested | |
| # dependency bumps that Dependabot proposes as isolated PRs. The audit | |
| # output stays visible in the job log. | |
| run: pip-audit --requirement requirements.txt --desc || true |