danyaridiger
diff --git a/‎.github/workflows/audit.yml‎
Lines changed: 215 additions & 114 deletions b/‎.github/workflows/audit.yml‎
Lines changed: 215 additions & 114 deletions
diff --git a/‎CHANGELOG.md‎
Lines changed: 7 additions & 2 deletions b/‎CHANGELOG.md‎
Lines changed: 7 additions & 2 deletions
diff --git a/‎README.md‎
Lines changed: 1 addition & 1 deletion b/‎README.md‎
Lines changed: 1 addition & 1 deletion
@@ -25,16 +25,31 @@ jobs:
       - name: Install dependencies
         run: npm ci
 
-      - name: Audit dependencies
+      - name: Run security audit
         id: audit
         run: |
-          AUDIT_OUTPUT=$(npm audit --audit-level=moderate --json 2>/dev/null || true)
+          set +e
+          npm audit --audit-level=moderate --json > audit_results.json 2>audit_error.log
+          AUDIT_EXIT_CODE=$?
+
+          if [ $AUDIT_EXIT_CODE -eq 1 ]; then
+            echo "Vulnerabilities found (exit code 1)"
+            echo "has_vulnerabilities=true" >> $GITHUB_OUTPUT
+          elif [ $AUDIT_EXIT_CODE -ne 0 ]; then
+            echo "Audit failed with exit code: $AUDIT_EXIT_CODE"
+            echo '{"error": "audit_failed", "exit_code": '$AUDIT_EXIT_CODE'}' > audit_results.json
+            echo "has_vulnerabilities=false" >> $GITHUB_OUTPUT
+            echo "audit_failed=true" >> $GITHUB_OUTPUT
+          else
+            echo "No vulnerabilities found"
+            echo "has_vulnerabilities=false" >> $GITHUB_OUTPUT
+          fi
+
+          AUDIT_OUTPUT=$(cat audit_results.json)
           echo "audit_output<<EOF" >> $GITHUB_OUTPUT
           echo "$AUDIT_OUTPUT" >> $GITHUB_OUTPUT
           echo "EOF" >> $GITHUB_OUTPUT
 
-          npm audit --audit-level=moderate || echo "::warning::npm audit found vulnerabilities"
-
       - name: Upload audit report
         if: always()
         uses: actions/upload-artifact@v4
@@ -43,129 +58,215 @@ jobs:
           path: |
             package-lock.json
             package.json
+            audit_results.json
+            audit_error.log
           retention-days: 7
 
-      - name: Create issue if vulnerable
-        if: failure()
+      - name: Process audit results
+        id: process-results
+        if: always() && steps.audit.outputs.audit_output
+        run: |
+          AUDIT_OUTPUT='${{ steps.audit.outputs.audit_output }}'
+
+          # Create a simple Node.js script to process the JSON
+          cat > process_audit.js << 'EOF'
+          try {
+            const auditData = JSON.parse(process.argv[1]);
+            
+            if (auditData.error) {
+              console.log('::error::Audit failed: ' + auditData.error);
+              process.exit(1);
+            }
+            
+            const vulnerabilities = auditData.metadata?.vulnerabilities || {};
+            const total = vulnerabilities.total || 0;
+            const critical = vulnerabilities.critical || 0;
+            const high = vulnerabilities.high || 0;
+            const moderate = vulnerabilities.moderate || 0;
+            const low = vulnerabilities.low || 0;
+            
+            console.log(`total=${total}`);
+            console.log(`critical=${critical}`);
+            console.log(`high=${high}`);
+            console.log(`moderate=${moderate}`);
+            console.log(`low=${low}`);
+            
+            // Create a summary string
+            const summary = `Critical: ${critical}, High: ${high}, Moderate: ${moderate}, Low: ${low}, Total: ${total}`;
+            console.log(`summary=${summary}`);
+            
+            if (total > 0) {
+              console.log('::error::Vulnerabilities found: ' + summary);
+              process.exit(1);
+            }
+            
+          } catch (error) {
+            console.log('::error::Failed to parse audit results: ' + error.message);
+            process.exit(1);
+          }
+          EOF
+
+          # Run the processing script and capture outputs
+          node process_audit.js "$AUDIT_OUTPUT" >> $GITHUB_OUTPUT
+
+      - name: Create security issue
+        if: |
+          always() && 
+          steps.audit.outputs.has_vulnerabilities == 'true' && 
+          github.event_name != 'pull_request'
         uses: actions/github-script@v6
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}
           script: |
+            const { owner, repo } = context.repo;
+            const runId = context.runId;
+            const runUrl = `${context.serverUrl}/${owner}/${repo}/actions/runs/${runId}`;
+
+            const auditOutput = `${{ steps.audit.outputs.audit_output }}`;
+            const summary = `${{ steps.process-results.outputs.summary }}`;
+
+            let vulnerabilityDetails = 'Unable to parse vulnerability details';
+            let auditData = {};
+
             try {
-              const auditOutput = `${{ steps.audit.outputs.audit_output }}`;
-              let auditData = {};
-              let vulnerabilitySummary = 'Unable to parse audit details';
-              
-              try {
-                auditData = JSON.parse(auditOutput);
-                if (auditData.metadata && auditData.metadata.vulnerabilities) {
-                  const vulns = auditData.metadata.vulnerabilities;
-                  vulnerabilitySummary = `Vulnerabilities found:
-                  - Critical: ${vulns.critical || 0}
-                  - High: ${vulns.high || 0}
-                  - Moderate: ${vulns.moderate || 0}
-                  - Low: ${vulns.low || 0}`;
-                }
-              } catch (parseError) {
-                console.error('Failed to parse audit output:', parseError.message);
-                vulnerabilitySummary = 'Failed to parse audit output. Check workflow artifacts for details.';
-              }
-              
-              let existingIssues;
-              try {
-                existingIssues = await github.rest.issues.listForRepo({
-                  owner: context.repo.owner,
-                  repo: context.repo.repo,
-                  labels: ['security', 'vulnerability'],
-                  state: 'open'
-                });
-              } catch (apiError) {
-                console.error('Failed to fetch existing issues:', apiError.message);
-                existingIssues = { data: [] };
-              }
-              
-              const existingIssue = existingIssues.data.find(issue => 
-                issue.title.includes('Security vulnerabilities detected') || 
-                issue.title.includes('🚨 Security vulnerabilities detected')
-              );
-              
-              if (existingIssue) {
-                console.warn('Security issue already exists: #' + existingIssue.number);
-                return;
-              }
-              
-              try {
-                await github.rest.issues.create({
-                  owner: context.repo.owner,
-                  repo: context.repo.repo,
-                  title: '🚨 Security vulnerabilities detected in dependencies',
-                  body: `## Security Audit Report
-                  
-                  npm audit found vulnerabilities that require attention.
-                  
-                  **Vulnerability Summary:**
-                  \`\`\`
-                  ${vulnerabilitySummary}
-                  \`\`\`
-                  
-                  **Next Steps:**
-                  1. Run \`npm audit fix\` to attempt automatic fixes
-                  2. Review the full audit report in the workflow artifacts
-                  3. Update vulnerable dependencies manually if needed
-                  
-                  **Workflow Run:** ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
-                  
-                  *This issue was automatically generated by the security audit workflow.*`,
-                  labels: ['security', 'vulnerability', 'automated']
-                });
-              } catch (createError) {
-                console.error('Failed to create security issue:', createError.message);
+              auditData = JSON.parse(auditOutput);
+              if (auditData.metadata && auditData.metadata.vulnerabilities) {
+                const vulns = auditData.metadata.vulnerabilities;
+                vulnerabilityDetails = `## Vulnerability Summary
+                
+                | Severity | Count |
+                |----------|-------|
+                | 🔴 Critical | ${vulns.critical || 0} |
+                | 🟠 High | ${vulns.high || 0} |
+                | 🟡 Moderate | ${vulns.moderate || 0} |
+                | 🔵 Low | ${vulns.low || 0} |
+                | **Total** | **${vulns.total || 0}** |`;
               }
+            } catch (parseError) {
+              vulnerabilityDetails = `## Audit Results
+              Unable to parse detailed vulnerability information. Check the workflow artifacts for complete details.`;
+            }
+
+            // Check for existing open security issues
+            const { data: existingIssues } = await github.rest.issues.listForRepo({
+              owner,
+              repo,
+              labels: ['security-audit', 'dependencies'],
+              state: 'open'
+            });
+
+            const existingIssue = existingIssues.find(issue => 
+              issue.title.includes('Security Audit: Vulnerabilities Detected') ||
+              issue.title.includes('npm audit found vulnerabilities')
+            );
+
+            if (existingIssue) {
+              console.log(`Security issue already exists: #${existingIssue.number}`);
               
-            } catch (outerError) {
-              console.error('Unexpected error in Create issue step:', outerError.message);
+              // Update existing issue with latest results
+              await github.rest.issues.update({
+                owner,
+                repo,
+                issue_number: existingIssue.number,
+                body: `## 🔒 Security Audit Update
+                
+                ${vulnerabilityDetails}
+                
+                **Latest Scan Results:** ${summary}
+                
+                **Workflow Run:** [View Run](${runUrl})
+                **Last Updated:** ${new Date().toISOString()}
+                
+                **Next Steps:**
+                1. Run \`npm audit fix\` to attempt automatic fixes
+                2. Run \`npm audit\` to review detailed findings
+                3. Manually update dependencies if automatic fixes are insufficient
+                4. Check the workflow artifacts for complete audit report
+                
+                *This issue is automatically updated by the security audit workflow.*`
+              });
+            } else {
+              // Create new issue
+              await github.rest.issues.create({
+                owner,
+                repo,
+                title: `🔒 Security Audit: Vulnerabilities Detected - ${new Date().toISOString().split('T')[0]}`,
+                body: `## 🔒 Security Audit Report
+                
+                ${vulnerabilityDetails}
+                
+                **Workflow Run:** [View Run](${runUrl})
+                **Detected:** ${new Date().toISOString()}
+                
+                **Recommended Actions:**
+                1. Run \`npm audit fix\` to attempt automatic fixes
+                2. Run \`npm audit\` to review detailed findings  
+                3. Manually update vulnerable dependencies if needed
+                4. Check the workflow artifacts for complete audit report
+                5. Close this issue once vulnerabilities are resolved
+                
+                **Automated Commands:**
+                \`\`\`bash
+                # Try automatic fixes
+                npm audit fix
+                
+                # Review remaining issues
+                npm audit
+                \`\`\`
+                
+                *This issue was automatically generated by the security audit workflow.*`,
+                labels: ['security-audit', 'dependencies', 'automated']
+              });
             }
 
-      - name: Comment on PR if vulnerable
-        if: failure() && github.event_name == 'pull_request'
+      - name: Comment on PR with vulnerabilities
+        if: |
+          always() && 
+          steps.audit.outputs.has_vulnerabilities == 'true' && 
+          github.event_name == 'pull_request'
         uses: actions/github-script@v6
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}
           script: |
-            try {
-              const auditOutput = `${{ steps.audit.outputs.audit_output }}`;
-              let vulnerabilitySummary = '## 🔒 Security Audit Results\n\nSecurity vulnerabilities detected by npm audit. Please run `npm audit` to review and fix these issues before merging.';
-              
-              try {
-                const auditData = JSON.parse(auditOutput);
-                if (auditData.metadata && auditData.metadata.vulnerabilities) {
-                  const vulns = auditData.metadata.vulnerabilities;
-                  vulnerabilitySummary = `## 🔒 Security Audit Results
-                  
-                  Vulnerabilities found in this PR:
-                  - ⚠️ Critical: ${vulns.critical || 0}
-                  - 🔴 High: ${vulns.high || 0}
-                  - 🟡 Moderate: ${vulns.moderate || 0}
-                  - 🔵 Low: ${vulns.low || 0}
-                  
-                  Please run \`npm audit\` to review and fix these issues before merging.`;
-                }
-              } catch (parseError) {
-                console.error('Failed to parse audit output for PR comment:', parseError.message);
-                vulnerabilitySummary = '## 🔒 Security Audit Results\n\nSecurity vulnerabilities detected. Please check the workflow artifacts for detailed audit results.';
-              }
-              
-              try {
-                await github.rest.issues.createComment({
-                  owner: context.repo.owner,
-                  repo: context.repo.repo,
-                  issue_number: context.payload.pull_request.number,
-                  body: vulnerabilitySummary
-                });
-              } catch (commentError) {
-                console.error('Failed to create PR comment:', commentError.message);
-              }
-              
-            } catch (outerError) {
-              console.error('Unexpected error in PR comment step:', outerError.message);
+            const summary = `${{ steps.process-results.outputs.summary }}`;
+            const total = `${{ steps.process-results.outputs.total }}`;
+            const critical = `${{ steps.process-results.outputs.critical }}`;
+            const high = `${{ steps.process-results.outputs.high }}`;
+
+            let severityIcon = '⚠️';
+            if (critical > 0 || high > 0) {
+              severityIcon = '🚨';
             }
+
+            const commentBody = `## ${severityIcon} Security Audit Results
+
+            **Vulnerabilities detected in this PR:**
+            ${summary}
+
+            **Required Action:**
+            Please address these security vulnerabilities before merging this pull request.
+
+            **Quick Fixes:**
+            \`\`\`bash
+            # Try automatic fixes
+            npm audit fix
+
+            # If that doesn't resolve all issues, try with force
+            npm audit fix --force
+            \`\`\`
+
+            *Note: Be cautious with \`--force\` as it may introduce breaking changes.*`;
+
+            await github.rest.issues.createComment({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              issue_number: context.payload.pull_request.number,
+              body: commentBody
+            });
+
+      - name: Fail workflow if vulnerabilities found
+        if: steps.audit.outputs.has_vulnerabilities == 'true'
+        run: |
+          echo "::error::Security vulnerabilities detected! Check the created issue or PR comment for details."
+          echo "Summary: ${{ steps.process-results.outputs.summary }}"
+          exit 1
@@ -1,6 +1,6 @@
 # Patch notes
 
-Current `vue3-extended-multiselect` version: **2.3.11**
+Current `vue3-extended-multiselect` version: **3.0.1**
 
 ---
 
@@ -544,7 +544,6 @@ Adding descriptive comments for some types in typings.
 - Added coverage configuration for unit testing.
 - Added banner with package information to all output variants.
 - Added enhanced null checking mechanism to pre-selected options.
-- Changed rollup output format and added UMD output variant.
 - Changed main documentation and documentation for contributors.
 - Changed package keywords.
 - Changed Node.js platform version and added a treshold for the node platform versions.
@@ -554,3 +553,9 @@ Adding descriptive comments for some types in typings.
 - Removed "publish" workflow in favor of the new "release" workflow for automatically creating Github tags and releases.
 - Removed explicit installation of "core-js" dependency.
 - Removed unnecessary "iconFilter" prop in ExtendedMultiselectLoader component.
+
+### 3.0.1
+
+- Changed security audit workflow with proper vulnerability handling.
+- Fixed a bug with layout shifting when using the optional "dropdownDisabled" prop together with the optional "iconSize" prop.
+- Fixed runtime errors in UMD file output variant by reconfiguring the "babel" plugin for rollup.
@@ -1,4 +1,4 @@
-# vue3-extended-multiselect v3.0.0
+# vue3-extended-multiselect v3.0.1
 
 ---
Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,4 @@`
`1`		`-# vue3-extended-multiselect v3.0.0`
	`1`	`+# vue3-extended-multiselect v3.0.1`
`2`	`2`
`3`	`3`	`---`
`4`	`4`