Skip to content

deps: Bump @radix-ui/react-avatar from 1.1.11 to 1.2.0 #417

deps: Bump @radix-ui/react-avatar from 1.1.11 to 1.2.0

deps: Bump @radix-ui/react-avatar from 1.1.11 to 1.2.0 #417

Workflow file for this run

name: Security Scanning
on:
push:
branches: [main]
pull_request:
branches: [main]
schedule:
- cron: '0 6 * * 1'
workflow_dispatch:
permissions:
contents: read
statuses: write
jobs:
audit:
name: Dependency Audit
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-node@v4
with:
node-version: '22'
cache: 'npm'
- run: npm ci --ignore-scripts
- name: Production dependency audit (fail on moderate+)
run: npm audit --omit=dev --audit-level=moderate
- name: Full dependency audit (informational)
run: npm audit || true
- name: Check for outdated dependencies
run: npm outdated || true
snyk:
name: Snyk Vulnerability Scan
runs-on: ubuntu-latest
if: github.event_name != 'schedule'
steps:
- uses: actions/checkout@v4
- uses: actions/setup-node@v4
with:
node-version: '22'
cache: 'npm'
- run: npm ci --ignore-scripts
- name: Run Snyk to check for vulnerabilities
continue-on-error: true
uses: snyk/actions/node@v1.0.0
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
with:
args: --severity-threshold=high
lint:
name: Lint & Static Analysis
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-node@v4
with:
node-version: '22'
cache: 'npm'
- run: npm ci --ignore-scripts
- name: Run ESLint
run: npm run lint
test-security:
name: Security Tests
runs-on: ubuntu-latest
env:
ELECTRON_SKIP_BINARY_DOWNLOAD: '1'
steps:
- uses: actions/checkout@v4
- uses: actions/setup-node@v4
with:
node-version: '22'
cache: 'npm'
- name: Install system dependencies
run: sudo apt-get update && sudo apt-get install -y python3 make g++
- run: npm ci
- name: Rebuild native modules
run: npm rebuild better-sqlite3-multiple-ciphers
- name: Run cross-org access tests
run: npm run test:security
- name: Run business logic tests
run: npm run test:business
- name: Run compliance validation tests
run: npm run test:compliance
load-test:
name: Performance Load Test
runs-on: ubuntu-latest
env:
ELECTRON_SKIP_BINARY_DOWNLOAD: '1'
steps:
- uses: actions/checkout@v4
- uses: actions/setup-node@v4
with:
node-version: '22'
cache: 'npm'
- name: Install system dependencies
run: sudo apt-get update && sudo apt-get install -y python3 make g++
- run: npm ci
- name: Rebuild native modules
run: npm rebuild better-sqlite3-multiple-ciphers
- name: Run load tests
run: npm run test:load
lockfile-check:
name: Lockfile Integrity
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-node@v4
with:
node-version: '22'
cache: 'npm'
- name: Verify lockfile is committed
run: |
if [ ! -f package-lock.json ]; then
echo "::warning::package-lock.json is not committed. Dependency pinning is recommended."
fi
- name: Verify clean install matches lockfile
run: npm ci --ignore-scripts
report-audit-status:
name: Report audit status
runs-on: ubuntu-latest
needs: audit
if: always()
steps:
- name: Set audit commit status
uses: actions/github-script@v9
with:
script: |
const state = '${{ needs.audit.result }}' === 'success' ? 'success' : 'failure';
const sha = context.payload.pull_request
? context.payload.pull_request.head.sha
: context.sha;
await github.rest.repos.createCommitStatus({
owner: context.repo.owner,
repo: context.repo.repo,
sha,
state,
context: 'audit',
description: `Dependency audit ${state}`,
target_url: `${context.serverUrl}/${context.repo.owner}/${context.repo.repo}/actions/runs/${context.runId}`
});
report-snyk-status:
name: Report snyk status
runs-on: ubuntu-latest
needs: snyk
if: always()
steps:
- name: Set snyk commit status
uses: actions/github-script@v9
with:
script: |
const result = '${{ needs.snyk.result }}';
const state = (result === 'success' || result === 'skipped') ? 'success' : 'failure';
const sha = context.payload.pull_request
? context.payload.pull_request.head.sha
: context.sha;
await github.rest.repos.createCommitStatus({
owner: context.repo.owner,
repo: context.repo.repo,
sha,
state,
context: 'snyk',
description: `Snyk vulnerability scan ${state}`,
target_url: `${context.serverUrl}/${context.repo.owner}/${context.repo.repo}/actions/runs/${context.runId}`
});