Skip to content

Reminder for npm audit fix #1357

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 7 commits into from
Sep 18, 2025
Merged

Reminder for npm audit fix #1357

Show file tree
Hide file tree
Changes from 4 commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
2feb4ae
NO-ISSUE Reminder for npm audit fix
Yang-33 Aug 5, 2025
718a4bd
NO-ISSUE a
Yang-33 Aug 5, 2025
ac55540
NO-ISSUE --audit-level moderate
Yang-33 Aug 5, 2025
c0ddd2f
NO-ISSUE a
Yang-33 Aug 5, 2025
39b9dec
NO-ISSUE fix
Yang-33 Sep 14, 2025
97a2aef
NO-ISSUE oops
Yang-33 Sep 16, 2025
6d2bc90
Merge branch 'master' into reminder-for-npm-audit
Yang-33 Sep 18, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
64 changes: 64 additions & 0 deletions .github/workflows/npm-audit.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,64 @@
name: "Reminder for 'run npm audit'"

on:
schedule:
- cron: '0 22 * * *'
workflow_dispatch:

jobs:
run-npm-audit:
runs-on: ubuntu-latest
permissions:
contents: read
issues: write
if: github.repository == 'line/line-bot-sdk-nodejs'
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
- uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020
with:
node-version: '24'

- name: Run npm audit and check diff
id: audit
run: ./scripts/npm-audit.sh
continue-on-error: true

- name: Create or update reminder issue
if: steps.audit.outcome == 'failure'
uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
env:
TZ: 'Asia/Tokyo'
with:
script: |
const { owner, repo } = context.repo;
const title = 'Reminder: run npm audit';
const securityURL = `https://github.com/${owner}/${repo}/security`;
const baseBody = [
'Fix all vulnerabilities. You can check with `.github/scripts/npm-audit.sh` locally, then send a PR with the fixes.',
`After fixing, make sure the vulnerabilities count in **${securityURL}** is **0**.`
].join('\n\n');

const { data: result } = await github.rest.search.issuesAndPullRequests({
q: `repo:${owner}/${repo} is:issue is:open in:title "${title}"`
});

const today = new Date();

if (result.total_count === 0) {
await github.rest.issues.create({
owner,
repo,
title,
body: `${baseBody}\n\n0 days have passed.`
});
} else {
const issue = result.items[0];
const created = new Date(issue.created_at);
const diffDays = Math.floor((today - created) / 86_400_000);
await github.rest.issues.update({
owner,
repo,
issue_number: issue.number,
body: `${baseBody}\n\n${diffDays} days have passed.`
});
}
28 changes: 28 additions & 0 deletions scripts/npm-audit.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
#!/usr/bin/env bash
set -euo pipefail

IFS=$'\n'
locks=($(find . -path '*/node_modules' -prune -o -name package-lock.json -print))
unset IFS

declare -a failed=()

for lock in "${locks[@]}"; do
dir=$(dirname "$lock")
printf '\n\n\033[1;34m==> %s\033[0m\n' "$dir"

pushd "$dir" >/dev/null
if ! npm audit --audit-level moderate; then
failed+=("$dir")
fi
popd >/dev/null
done

if ((${#failed[@]})); then
echo -e "\n\033[0;31mnpm audit reported vulnerabilities in:\033[0m"
printf ' - %s\n' "${failed[@]}"
exit 1
else
echo "npm audit passed: no vulnerabilities detected"
exit 0
fi