ci(workspace): add npm audit workflow to scan dependencies #171

TharakaUJ · 2025-09-24T13:13:41Z

introduce automated security scanning for dependencies by running npm audit in pull requests. this ensures vulnerabilities are caught earlier in the development cycle and increases visibility for reviewers.

Closes #153

Purpose

Related Issues

ci: add security scanner to PR builder for NPM audit log #153

Related PRs

Checklist

e2e cypress tests locally verified.
Manual test round performed and verified.
UX/UI review done on the final implementation.
Documentation provided. (Add links if there are any)
Unit tests provided. (Add links if there are any)
Integration tests provided. (Add links if there are any)

Security checks

Followed secure coding standards in http://wso2.com/technical-reports/wso2-secure-engineering-guidelines?
Ran FindSecurityBugs plugin and verified report?
Confirmed that this PR doesn't commit any keys, passwords, tokens, usernames, or other secrets?

introduce automated security scanning for dependencies by running `npm audit` in pull requests. this ensures vulnerabilities are caught earlier in the development cycle and increases visibility for reviewers. Closes asgardeo#153

brionmario · 2025-09-26T04:32:58Z

Hi @TharakaUJ,

Thanks a lot for the PR.

Just FYI, jave a look at here: #153 (comment) to understand the issue picking process of the competition.

Cheers!

brionmario · 2025-09-26T04:33:40Z

@NipuniBhagya Could you please review this?

TharakaUJ · 2025-09-26T09:56:31Z

Just FYI, jave a look at here: #153 (comment) to understand the issue picking process of the competition.

Thanks for pointing me to that! I’ve gone through the comment and now understand the issue picking process. I’ll be sure to follow it properly for future contributions.

.github/workflows/npm-audit.yml

brionmario · 2025-10-16T16:09:42Z

.github/workflows/npm-audit.yml

+    strategy:
+      matrix:
+        node-version: [lts/*]
+    steps:


Lets replace the existing steps with the existing steps from https://github.com/asgardeo/javascript/blob/main/.github/workflows/pr-builder.yml#L23C1-L66 apart from 🐳 Set SHAs for Nx.

Suggested change

steps:

steps:

- name: ⬇️ Checkout

id: checkout

uses: actions/[email protected]

.github/workflows/npm-audit.yml

Follow the current style of configuring CI jobs as requested by reviewers: - Use matrix strategy for Node.js versions for ease of maintenance - Match the exact same style as reference pr-builder.yml workflow Addresses reviewer feedback: "Lets follow the current style of configuring CI jobs. We usually keep a matrix of the versions such as Node.js for ease."

asgardeo-github-bot · 2025-10-25T18:42:59Z

⚠️ No Changeset found

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go.

If these changes should result in a version bump, you need to add a changeset.

Refer Release Documentation to learn how to add a changeset.

brionmario · 2025-10-27T06:34:03Z

@TharakaUJ,

Awesome work.
Merging this now.

Thanks for the contribution.

TharakaUJ · 2025-10-27T07:27:11Z

Happy to contribute.
Thank you too for guiding!

TharakaUJ closed this Sep 24, 2025

TharakaUJ reopened this Sep 24, 2025

TharakaUJ force-pushed the npm-audit branch from 542b34d to b5b00bc Compare September 24, 2025 15:08

TharakaUJ mentioned this pull request Sep 27, 2025

ci: add security scanner to PR builder for NPM audit log #153

Closed

3 tasks

brionmario reviewed Sep 29, 2025

View reviewed changes