Current Limitation

Currently, there is no automated security scanning integrated into the PR builder workflow to audit dependencies for vulnerabilities using npm audit. This leads to:

• Potential introduction of vulnerable dependencies into the codebase
• Lack of visibility into security risks before merging PRs
• Manual effort required to check audit results for each PR
• Delayed detection of critical/high vulnerabilities
• Inconsistent adoption of security best practices across contributors

Without automated security scanning, the codebase may contain:

• Outdated or vulnerable npm packages
• Security issues that could be caught earlier in the development lifecycle
• Lack of transparency for reviewers and contributors regarding dependency health

Suggested Improvement

Integrate an automated security scanner into the PR builder workflow to run npm audit for every pull request. The scanner should generate an audit log as a build artifact or post a summary to the PR.

Implementation Plan

1. Update the CI/CD workflow (GitHub Actions) to run npm audit on all PRs.
2. Store the audit results as an artifact or comment a summary on the PR.
3. Configure the workflow to fail the build if critical/high vulnerabilities are detected, or warn as per project policy.
4. Document the new workflow in the repository's CONTRIBUTING.md or CI documentation.

References:

• npm audit documentation
• GitHub Actions: Uploading build artifacts
• Example: npm audit GitHub Action

Please select the package issue is related to

@asgardeo/javascript, @asgardeo/browser, @asgardeo/nextjs, @asgardeo/react, @asgardeo/vue

Version

Current

Reporter Checklist

• I have searched the existing issues and this is not a duplicate.
• I have provided all the necessary information.
• I have verified the improvement is not available in the latest version of the package.