ci(release): add high severity npm audit gate

iexitdev · iexitdev · commit 0e57b30b2469 · 2026-05-06T14:16:54.000-04:00
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -29,6 +29,9 @@ jobs:
       - name: Lint
         run: npm run lint
 
+      - name: Security audit
+        run: npm run security:audit
+
       - name: Typecheck
         run: npm run typecheck
 
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
@@ -88,6 +88,9 @@ jobs:
       - name: Package pack check
         run: npm run pack:check
 
+      - name: Security audit
+        run: npm run security:audit
+
       - name: Docs
         run: npm run docs:build
 
diff --git a/docs/release/known-issues.md b/docs/release/known-issues.md
@@ -18,6 +18,14 @@ Developer Preview package publishing is complete for `7.0.0-next.0`. `react-nati
 
 Impact: existing `react-native-chart-kit` users are protected. New adopters using `@chart-kit/react-native` should treat the scoped namespace as Developer Preview until a stable scoped release exists.
 
+## Security Audit
+
+`npm run security:audit` runs `npm audit --audit-level=high` and is wired into CI and the publish workflow. On May 6, 2026, the current `next` branch passed that high/critical audit gate. The open critical Dependabot alert reported during pushes targets the default-branch `expo <48` dependency path, not the current v2 preview branch; the active v2 showcase resolves Expo to patched major versions.
+
+The current `next` branch still has moderate npm audit findings through Expo CLI / `@expo/metro-config` / PostCSS. npm suggests a force downgrade path for `@expo/metro-config`, which is not appropriate for the Expo 54 showcase without a deliberate SDK compatibility review.
+
+Impact: high and critical npm vulnerabilities now block CI/publish for v2 work, but moderate Expo toolchain advisories remain tracked until an Expo-compatible upstream fix is available.
+
 ## Native E2E Coverage
 
 `npm run test:e2e` covers web showcase interaction flows through Playwright. It does not cover native iOS or Android runtime behavior.
diff --git a/package.json b/package.json
@@ -45,6 +45,7 @@
     "format": "prettier --write .",
     "format:check": "prettier --check .",
     "surface:check": "node scripts/verify-public-surface.mjs && node scripts/verify-package-boundaries.mjs && node scripts/verify-pro-preview-imports.mjs",
+    "security:audit": "npm audit --audit-level=high",
     "boundaries:check": "node scripts/verify-package-boundaries.mjs",
     "pack:check": "node scripts/check-package-packs.mjs",
     "test": "npm run typecheck && npm run test:unit && npm run test:compat",
diff --git a/scripts/release-gate-config.mjs b/scripts/release-gate-config.mjs
@@ -72,6 +72,7 @@ export const requiredScripts = [
   "example:expo",
   "docs:build",
   "surface:check",
+  "security:audit",
   "skia:parity",
   "native:release:dry-run",
   "native:release:android",
