Problem
Issue #244 documented 55 vulnerabilities (1 critical, 27 high) in the
react-frontend. PR #277 addresses the current set, but without a CI
enforcement gate, new vulnerabilities will silently accumulate again
with future dependency updates.
Proposed Solution
Add npm audit --audit-level=high as a required GitHub Actions step
on all PRs that touch the react-frontend/ directory. This ensures
no PR introducing a high or critical severity vulnerability can be
merged without explicit review.
Implementation Plan
- Add a new job (or step) in
.github/workflows/ scoped to
react-frontend/ path changes
- Run
npm audit --audit-level=high after npm ci
- Fail the check if high or critical vulnerabilities are found
- Document the audit policy in
docs/Contribute.md
Why This Matters
Fixing vulnerabilities reactively is not sustainable. This change
makes security a first-class part of the PR review process for the
React frontend.
Relates to: #244, #277
Happy to guide anyone who picks this up.
Problem
Issue #244 documented 55 vulnerabilities (1 critical, 27 high) in the
react-frontend. PR #277 addresses the current set, but without a CI
enforcement gate, new vulnerabilities will silently accumulate again
with future dependency updates.
Proposed Solution
Add
npm audit --audit-level=highas a required GitHub Actions stepon all PRs that touch the
react-frontend/directory. This ensuresno PR introducing a high or critical severity vulnerability can be
merged without explicit review.
Implementation Plan
.github/workflows/scoped toreact-frontend/path changesnpm audit --audit-level=highafternpm cidocs/Contribute.mdWhy This Matters
Fixing vulnerabilities reactively is not sustainable. This change
makes security a first-class part of the PR review process for the
React frontend.
Relates to: #244, #277
Happy to guide anyone who picks this up.