You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
## Summary
Adds free GitHub security scanning to the pipeline and upgrades the
runtime to Node 24. Releases as **v2.5.2**.
### Security scanning (new)
- **`npm audit`** — added to `functional-tests.yml` after `npm ci`.
Blocks the `test` check on HIGH or CRITICAL CVEs using the npm advisory
database.
- **OSV Scanner** (`google/osv-scanner-action@v2.3.3`) — added to
`functional-tests.yml` after `npm audit`. Scans all `package-lock.json`
files recursively against the OSV/NIST database — the same source Trivy
uses for npm packages — so vulnerabilities are caught at the fast test
stage rather than waiting for the full Docker build and image scan.
- **Dependabot** — new `.github/dependabot.yml`. Daily checks for npm
packages across all three package roots (`/`, `/packages/core`,
`/packages/stdio`) and all GitHub Actions versions. Security alerts are
real-time regardless of schedule.
- **Trivy image scanning** — added to `docker-publish.yml` in two
places:
- Inside `pre-merge-cd-check` (PR gate): scans `:pr-{n}-amd64`;
CRITICAL+HIGH reported to Security tab via SARIF; CRITICAL with a fix
available blocks the PR.
- New `scan` job between `verify` and `merge` (post-merge gate): scans
`:latest-amd64` before manifest tags and git tag are created; CRITICAL
blocks the release.
- **CodeQL** — new `.github/workflows/codeql.yml`. Semantic TypeScript
analysis (`language: javascript`, `build-mode: none`). Runs on PRs, push
to main, and weekly.
### Bug fix: Trivy env-var pollution
`trivy-action` exports `TRIVY_FORMAT` and `TRIVY_OUTPUT` into
`$GITHUB_ENV`. When the blocking step specifies `format: table` (the
action default), the action skips overwriting those vars, so the SARIF
step values bleed in — causing the blocking step to run in SARIF mode
and fail on HIGH findings instead of CRITICAL only.
**Fix:** replaced both "Fail on CRITICAL" `trivy-action` steps with
plain `run:` steps invoking the `trivy` binary directly. CLI flags
always override environment variables.
### Node 24 upgrade
- Docker base image upgraded from `node:20-alpine` to `node:24-alpine`.
Node 20 reaches EOL April 2026; Node 24 has been Active LTS since
October 2025. Node 24 ships with npm 11 which has updated bundled
dependencies, resolving the HIGH CVEs Trivy was detecting in the Docker
image (`tar`, `glob`, `minimatch`, `cross-spawn`).
- CI `node-version` updated from `20` to `24` to match.
### Dependency fixes
- **HIGH** (npm audit fix): patched `@modelcontextprotocol/sdk`
(GHSA-345p-7cg4-v4c7) and `rollup` (GHSA-mw96-cpmx-2vgc).
- **MODERATE** (OSV Scanner / npm audit fix --force): upgraded `vitest`
`3.x` → `4.x` to resolve the `esbuild`/`vite`/`vitest` chain
(GHSA-67mh-4wv8-2f99). Build and type-check pass cleanly on vitest v4.
- `ignore-unfixed: true` on all Trivy steps — OS-level Alpine CVEs with
no patch available do not block the pipeline.
## Post-merge: GitHub Settings to enable
- **Branch protection → required checks:** Add `CodeQL` to required
status checks
- **Security → Secret scanning → Push protection:** Enable to reject
pushes containing detected secrets at the server level (free for public
repos, no workflow change needed)
## Test plan
- [x] `npm audit` passes — 0 vulnerabilities
- [x] OSV Scanner passes — 0 vulnerabilities after vitest v4 upgrade
- [x] Trivy blocking step uses `run:` to avoid env-var pollution
- [x] `pre-merge-cd-check` Trivy SARIF uploaded to Security tab
- [x] CodeQL analysis passes
- [x] Build and type-check clean on Node 24 / vitest v4
- [ ] After merge: `scan` job runs between `verify` and `merge`
- [ ] After merge: v2.5.2 Docker tags published correctly
🤖 Generated with [Claude Code](https://claude.com/claude-code)
---------
Co-authored-by: Paradoxbound <paradoxbound@paradoxbound.org>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
0 commit comments