build(security): Phase 5 follow-ups — tighter pack trim + runtime audit gate

boorad · boorad · commit 596febdf9e15 · 2026-04-27T14:30:53.000-04:00
Two follow-ups identified in code review of the Phase 5 PR.

(1) Tighter `files:` allowlist. The Phase 5.4 trim correctly dropped the
top-level Rust crate at `deps/blake3/{src, b3sum, benches, ...}`, but
missed dead files inside `deps/blake3/c/` itself:

- `blake3_c_rust_bindings/` (54 KB) — Cargo.toml, .rs files, build.rs,
  cross_test.sh. Rust subfolder embedded in the C amalgam dir.
- `*_x86-64_*.{S,asm}` (~1.0 MB) — x86 SIMD assembly variants. The
  podspec's `source_files` glob is `*.{h,c}` which never picks up `.S`
  or `.asm`, and Android CMakeLists explicitly enumerates only
  `blake3.c`, `blake3_dispatch.c`, `blake3_portable.c`, `blake3_neon.c`.
- `blake3_{avx2,avx512,sse2,sse41}.c` (~107 KB) — the .c versions of
  x86 SIMD that podspec's `exclude_files` already drops from
  compilation, but the npm pack still ships.
- `blake3_tbb.cpp`, `main.c`, `example.c`, `example_tbb.c` —
  example/main files explicitly in podspec `exclude_files`.
- `test.py`, `Makefile.testing`, `CMakeLists.txt`, `CMakePresets.json`,
  `blake3-config.cmake.in`, `libblake3.pc.in`, `dependencies/` —
  alternative-build-system scaffolding unused at consume-time.

Verified post-trim: all 6 BLAKE3 source files referenced by Android
CMakeLists are present (blake3.{c,h}, blake3_dispatch.c,
blake3_impl.h, blake3_neon.c, blake3_portable.c). Only the README is
forced-included by npm's hardcoded "always ship README/LICENSE" rule.

`npm pack --dry-run` deltas:

|             | Phase 5.4 | After  | Δ      |
| ----------- | --------- | ------ | ------ |
| Files       | 1024      | 989    | −3.4%  |
| Unpacked    | 6.38 MB   | 5.6 MB | −12%   |
| Packed      | 0.90 MB   | 0.85 MB| −5%    |

Cumulative vs. original:

|             | Original  | Now    | Δ      |
| ----------- | --------- | ------ | ------ |
| Files       | 2133      | 989    | −54%   |
| Unpacked    | 18.66 MB  | 5.6 MB | −70%   |
| Packed      | 4.55 MB   | 0.85 MB| −81%   |

(2) New CI job: `audit_runtime_deps` in `validate-js.yml`. Locks in
Phase 5.1's audit baseline ("zero advisories in the runtime tree") as
an automated regression gate. Workspace-level `bun audit --prod` walks
through optional peer-dep tooling (expo, react-native, jest, etc.)
which currently surfaces ~70 advisories that never reach a consumer's
runtime bundle — making it useless as a CI gate. Instead, the new job
creates a fresh package.json containing only the 6 runtime
`dependencies:` of `react-native-quick-crypto`
(`@craftzdog/react-native-buffer`, `events`, `readable-stream`,
`safe-buffer`, `string_decoder`, `util`), runs `bun install` cold, and
audits there with `--audit-level=high`. Verified locally: zero
vulnerabilities, exit 0. Any future PR that adds a high+/critical
runtime advisory will fail this check.

Refs: Phase 5 review follow-up
diff --git a/.github/workflows/validate-js.yml b/.github/workflows/validate-js.yml
@@ -70,6 +70,27 @@ jobs:
           cd packages/react-native-quick-crypto
           bun circular
 
+  audit_runtime_deps:
+    name: Audit runtime deps (bun audit)
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v5
+
+      - uses: ./.github/actions/setup-bun
+
+      # Audits only the 6 runtime `dependencies:` of the published package, not the
+      # workspace's dev/peer tooling. Workspace-level `bun audit` walks through optional
+      # peers (expo, react-native, etc.) which surface ~70 advisories that never reach a
+      # consumer's runtime bundle. Phase 5.1 baseline: zero advisories in the runtime tree.
+      - name: Audit runtime dependencies
+        run: |
+          mkdir -p /tmp/rnqc-runtime-audit
+          cd /tmp/rnqc-runtime-audit
+          bun -e "const pkg=require('$GITHUB_WORKSPACE/packages/react-native-quick-crypto/package.json'); require('fs').writeFileSync('package.json', JSON.stringify({name:'rnqc-runtime-audit',version:'0.0.0',dependencies:pkg.dependencies},null,2));"
+          cat package.json
+          bun install --no-summary
+          bun audit --audit-level=high
+
   lint_js:
     name: JS Lint (eslint, prettier)
     runs-on: ubuntu-latest
diff --git a/packages/react-native-quick-crypto/package.json b/packages/react-native-quick-crypto/package.json
@@ -54,7 +54,25 @@
     "!**/__mocks__",
     "!**/*.tsbuildinfo",
     "!ios/libsodium-stable",
-    "!deps/simdutf/src/CMakeLists.txt"
+    "!deps/simdutf/src/CMakeLists.txt",
+    "!deps/blake3/c/blake3_c_rust_bindings",
+    "!deps/blake3/c/dependencies",
+    "!deps/blake3/c/*_x86-64_*.S",
+    "!deps/blake3/c/*_x86-64_*.asm",
+    "!deps/blake3/c/blake3_avx2.c",
+    "!deps/blake3/c/blake3_avx512.c",
+    "!deps/blake3/c/blake3_sse2.c",
+    "!deps/blake3/c/blake3_sse41.c",
+    "!deps/blake3/c/blake3_tbb.cpp",
+    "!deps/blake3/c/main.c",
+    "!deps/blake3/c/example.c",
+    "!deps/blake3/c/example_tbb.c",
+    "!deps/blake3/c/test.py",
+    "!deps/blake3/c/Makefile.testing",
+    "!deps/blake3/c/CMakeLists.txt",
+    "!deps/blake3/c/CMakePresets.json",
+    "!deps/blake3/c/blake3-config.cmake.in",
+    "!deps/blake3/c/libblake3.pc.in"
   ],
   "keywords": [
     "react-native",
