Summary
The CI pipeline (.github/workflows/test.yml) runs lint and unit tests but does not include any dependency vulnerability scanning. With 80+ direct dependencies including security-sensitive packages (Web3, Capacitor plugins, crypto libraries), undetected vulnerable dependencies pose a significant supply chain risk.
Evidence
Impact
- Vulnerable dependencies may ship to production undetected
- Stale Dependabot PRs accumulate, increasing the effort to catch up
- Major version dependency drift increases the risk of breaking changes when finally updated
Suggested Approach
- Add
npm audit --audit-level=high step to the test workflow:
- name: Security audit
run: npm audit --audit-level=high --omit=dev
- Configure Dependabot auto-merge for patch updates via
.github/dependabot.yml
- Consider adding a scheduled weekly security scan workflow
- Prioritize reviewing the 8 pending Dependabot PRs, especially the major version bumps
Related
Generated by Health Monitor with Omni
Summary
The CI pipeline (
.github/workflows/test.yml) runs lint and unit tests but does not include any dependency vulnerability scanning. With 80+ direct dependencies including security-sensitive packages (Web3, Capacitor plugins, crypto libraries), undetected vulnerable dependencies pose a significant supply chain risk.Evidence
.github/workflows/test.yml— only runsnpm run lintandnpm run test.cinpm audit, Snyk, or Dependabot security scanning step found in any workflowzone.js(0.11→0.15),typescript(4.7→5.7),swiper(8→11)Impact
Suggested Approach
npm audit --audit-level=highstep to the test workflow:.github/dependabot.ymlRelated
Generated by Health Monitor with Omni