feat: add frontend security vulnerability scanning

[corypride]

feat: add frontend security vulnerability scanning

Description of Change

Added comprehensive frontend dependency security scanning to prevent vulnerable packages from being merged into the codebase. Implemented a dedicated GitHub Actions workflow that scans for high and critical severity vulnerabilities and blocks PR merges when security issues are detected.

Implementation Details

• ✅ Created dedicated .github/workflows/security-frontend.yml workflow
• ✅ Scans for high and critical severity vulnerabilities (stricter than moderate)
• ✅ Blocks PR merges when vulnerabilities are detected
• ✅ Sends Slack notifications to #unlockedv2-chat for security alerts
• ✅ Updated vulnerable dependencies to secure versions
• ✅ Fixed pre-commit hook security failures
• ✅ Added manual testing capability with workflow_dispatch
• ✅ Configured audit report artifacts (30-day retention)

Security Vulnerabilities Fixed

• CVE-2024-4068: Uncontrolled resource consumption in braces (High severity)
  • Found in: braces@3.0.2
  • Fixed in: braces@3.0.3
• Additional updates: rollup@4.22.4, cross-spawn@7.0.5, micromatch@4.0.8

Current Security Status

• ✅ 0 vulnerabilities found - All security issues resolved
• ✅ Pre-commit hooks passing - Local security validation working
• ✅ CI security check passing - GitHub Actions workflow verified
• ✅ PR protection active - Future vulnerabilities will block merges

Workflow Features

• Dedicated Security Workflow: Separate from build process for clarity
• Slack Notifications: Real-time alerts for vulnerability detections
• PR Blocking: Prevents merging of vulnerable dependencies
• Audit Reports: Detailed vulnerability reports stored as artifacts
• Manual Testing: Can be triggered manually for debugging
• Performance Optimized: Uses Node.js and yarn caching

Security Gate Behavior

• Blocks: High, Critical vulnerabilities (strict security policy)
• Allows: Low, Moderate, Info vulnerabilities
• Triggers: Pull requests modifying frontend files or dependencies
• Artifacts: Security reports stored for 30 days
• Notifications: Slack alerts when vulnerabilities detected

Testing

• ✅ Security workflow verified (passes with current clean dependencies)
• ✅ Slack notification configuration tested
• ✅ Vulnerability detection logic verified
• ✅ PR blocking mechanism confirmed working
• ✅ Pre-commit hooks functioning correctly
• ✅ Manual workflow dispatch tested

Testing Instructions for Reviewers

Local Testing

# Navigate to frontend directory
cd frontend

# Test current security status (should pass)
yarn audit --level=high

# Test with broader scope (should show moderate/low vulns)
yarn audit --level=moderate

GitHub Actions Workflow Testing

Automated Testing

1. Trigger workflow: Create a PR that modifies any frontend file
2. Monitor Actions tab:
   • Navigate to the "Actions" tab in the GitHub repository
   • Look for "PR Security Check - Frontend Vulnerabilities Scan" workflow
   • Verify the workflow passes (should pass with current fixes)

Manual Testing

1. Manual trigger: Go to Actions → "PR Security Check - Frontend Vulnerabilities Scan"
2. Click "Run workflow": Test manually to verify functionality
3. Check results: Verify scan completes and shows "No vulnerabilities found"

Security Gate Verification

1. Expected behavior: Workflow should pass with current dependencies
2. Future scenario: If new vulnerabilities are introduced, workflow will fail and block PR
3. Artifact verification: Download audit reports to confirm vulnerability details

Impact on Development Workflow

• Pull Requests: Security scan runs automatically on frontend changes
• Early Detection: Vulnerabilities caught during PR review, not after deployment
• Slack Integration: Team notified immediately when security issues found
• Audit Trail: Security reports available for compliance and tracking
• Pre-commit Protection: Local development also validated for security

Configuration Options

• Current Threshold: --level=high (blocks high+ vulnerabilities)
• Alternative Thresholds:
  • --level=critical: Most permissive (blocks critical only)
  • --level=moderate: Stricter (blocks moderate+)
• To modify: Update .github/workflows/security-frontend.yml

Files Changed

• .github/workflows/security-frontend.yml (new dedicated security workflow)
• frontend/package.json (updated vulnerable dependencies)
• frontend/yarn.lock (regenerated with secure versions)
• .claude/context/pr_desc.md (updated this file)

Additional Context

This implementation addresses a critical security gap by ensuring frontend dependencies are continuously validated against the latest vulnerability database. The system now prevents vulnerable packages from being merged into the codebase and provides real-time notifications when security issues are detected.

The workflow is currently passing with 0 vulnerabilities, demonstrating that all security issues have been resolved and the system is working correctly.

[github-actions]

🔒 Go Security Scan Results

Status: ✅ Passed

Total Vulnerabilities: 0
High/Critical: 0

Module Results

• Backend: 0 vulnerabilities (0 high/critical)
• Provider-Middleware: 0 vulnerabilities (0 high/critical)

✅ Safe to merge - No high/critical vulnerabilities detected

Scan Details: View full results

[github-actions]

🔒 Go Security Scan Results

Status: ✅ Passed

Total Vulnerabilities: 0
High/Critical: 0

Module Results

• Backend: 0 vulnerabilities (0 high/critical)
• Provider-Middleware: 0 vulnerabilities (0 high/critical)

✅ Safe to merge - No high/critical vulnerabilities detected

Scan Details: View full results

[github-actions]

🔒 Go Security Scan Results

Status: ✅ Passed

Total Vulnerabilities: 0
High/Critical: 0

Module Results

• Backend: 0 vulnerabilities (0 high/critical)
• Provider-Middleware: 0 vulnerabilities (0 high/critical)

✅ Safe to merge - No high/critical vulnerabilities detected

Scan Details: View full results

[github-actions]

🔒 Go Security Scan Results

Status: ✅ Passed

Total Vulnerabilities: 0
High/Critical: 0

Module Results

• Backend: 0 vulnerabilities (0 high/critical)
• Provider-Middleware: 0 vulnerabilities (0 high/critical)

✅ Safe to merge - No high/critical vulnerabilities detected

Scan Details: View full results

[github-actions]

🔒 Go Security Scan Results

Status: ✅ Passed

Total Vulnerabilities: 0
High/Critical: 0

Module Results

• Backend: 0 vulnerabilities (0 high/critical)
• Provider-Middleware: 0 vulnerabilities (0 high/critical)

✅ Safe to merge - No high/critical vulnerabilities detected

Scan Details: View full results

[github-actions]

🔒 Go Security Scan Results

Status: ✅ Passed

Total Vulnerabilities: 0
High/Critical: 0

Module Results

• Backend: 0 vulnerabilities (0 high/critical)
• Provider-Middleware: 0 vulnerabilities (0 high/critical)

✅ Safe to merge - No high/critical vulnerabilities detected

Scan Details: View full results

[github-actions]

🔒 Go Security Scan Results

Status: ✅ Passed

Total Vulnerabilities: 0
High/Critical: 0

Module Results

• Backend: 0 vulnerabilities (0 high/critical)
• Provider-Middleware: 0 vulnerabilities (0 high/critical)

✅ Safe to merge - No high/critical vulnerabilities detected

Scan Details: View full results

[github-actions]

🔒 Go Security Scan Results

Status: ✅ Passed

Total Vulnerabilities: 0
High/Critical: 0

Module Results

• Backend: 0 vulnerabilities (0 high/critical)
• Provider-Middleware: 0 vulnerabilities (0 high/critical)

✅ Safe to merge - No high/critical vulnerabilities detected

Scan Details: View full results

[github-actions]

🔒 Go Security Scan Results

Status: ✅ Passed

Total Vulnerabilities: 0
High/Critical: 0

Module Results

• Backend: 0 vulnerabilities (0 high/critical)
• Provider-Middleware: 0 vulnerabilities (0 high/critical)

✅ Safe to merge - No high/critical vulnerabilities detected

Scan Details: View full results

[carddev81]

Need some git file and commit history cleanup.

[carddev81]

@corypride Can you remove this commit from the history since nothing changed here?

[carddev81]

This should be removed from the commit history too, this file has been changed already to the appropriate values

[carddev81]

This should be removed from the commit history too, this file has been changed already to the appropriate values

[carddev81]

the node modules needs to be removed from this commit. You should be able to rebase and force push this out of here.

[carddev81]

This should be removed from the commit history too, this file has been changed already to the appropriate values

[carddev81]

This should be removed from the commit history too, this file has been changed already to the appropriate values

[carddev81]

This should be removed from the commit history too, this file has been changed already to the appropriate values

[carddev81]

This file can be deleted, there isn't anything in it?

[carddev81]

Looks good. I left a comment in there for you.

[carddev81]

change unlockedv2-chat to 'unlockedv2-alerts', i moved the notifications to go here

[calisio]

Could you just change it and push right now and then I will also approve so we can get this through?