Skip to content

Add npm audit CI check to prevent future security vulnerabilities in react-frontend #285

Description

@vmuralictr

Problem

Issue #244 documented 55 vulnerabilities (1 critical, 27 high) in the
react-frontend. PR #277 addresses the current set, but without a CI
enforcement gate, new vulnerabilities will silently accumulate again
with future dependency updates.

Proposed Solution

Add npm audit --audit-level=high as a required GitHub Actions step
on all PRs that touch the react-frontend/ directory. This ensures
no PR introducing a high or critical severity vulnerability can be
merged without explicit review.

Implementation Plan

  • Add a new job (or step) in .github/workflows/ scoped to
    react-frontend/ path changes
  • Run npm audit --audit-level=high after npm ci
  • Fail the check if high or critical vulnerabilities are found
  • Document the audit policy in docs/Contribute.md

Why This Matters

Fixing vulnerabilities reactively is not sustainable. This change
makes security a first-class part of the PR review process for the
React frontend.

Relates to: #244, #277
Happy to guide anyone who picks this up.

Metadata

Metadata

Assignees

Labels

No labels
No labels

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions