d5d19cab7c
Bumps the npm-development group with 6 updates: | Package | From | To | | --- | --- | --- | | [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) | `20.17.48` | `20.17.50` | | [@vitest/coverage-v8](https://github.com/vitest-dev/vitest/tree/HEAD/packages/coverage-v8) | `3.1.3` | `3.1.4` | | [eslint-import-resolver-typescript](https://github.com/import-js/eslint-import-resolver-typescript) | `4.3.5` | `4.4.1` | | [globals](https://github.com/sindresorhus/globals) | `16.1.0` | `16.2.0` | | [rollup](https://github.com/rollup/rollup) | `4.41.0` | `4.41.1` | | [vitest](https://github.com/vitest-dev/vitest/tree/HEAD/packages/vitest) | `3.1.3` | `3.1.4` | Updates `@types/node` from 20.17.48 to 20.17.50 - [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases) - [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node) Updates `@vitest/coverage-v8` from 3.1.3 to 3.1.4 - [Release notes](https://github.com/vitest-dev/vitest/releases) - [Commits](https://github.com/vitest-dev/vitest/commits/v3.1.4/packages/coverage-v8) Updates `eslint-import-resolver-typescript` from 4.3.5 to 4.4.1 - [Release notes](https://github.com/import-js/eslint-import-resolver-typescript/releases) - [Changelog](https://github.com/import-js/eslint-import-resolver-typescript/blob/master/CHANGELOG.md) - [Commits](https://github.com/import-js/eslint-import-resolver-typescript/compare/v4.3.5...v4.4.1) Updates `globals` from 16.1.0 to 16.2.0 - [Release notes](https://github.com/sindresorhus/globals/releases) - [Commits](https://github.com/sindresorhus/globals/compare/v16.1.0...v16.2.0) Updates `rollup` from 4.41.0 to 4.41.1 - [Release notes](https://github.com/rollup/rollup/releases) - [Changelog](https://github.com/rollup/rollup/blob/master/CHANGELOG.md) - [Commits](https://github.com/rollup/rollup/compare/v4.41.0...v4.41.1) Updates `vitest` from 3.1.3 to 3.1.4 - [Release notes](https://github.com/vitest-dev/vitest/releases) - [Commits](https://github.com/vitest-dev/vitest/commits/v3.1.4/packages/vitest) --- updated-dependencies: - dependency-name: "@types/node" dependency-version: 20.17.50 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: npm-development - dependency-name: "@vitest/coverage-v8" dependency-version: 3.1.4 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: npm-development - dependency-name: eslint-import-resolver-typescript dependency-version: 4.4.1 dependency-type: direct:development update-type: version-update:semver-minor dependency-group: npm-development - dependency-name: globals dependency-version: 16.2.0 dependency-type: direct:development update-type: version-update:semver-minor dependency-group: npm-development - dependency-name: rollup dependency-version: 4.41.1 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: npm-development - dependency-name: vitest dependency-version: 3.1.4 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: npm-development ... Signed-off-by: dependabot[bot] <support@github.com>
npm audit action
GitHub Action to run npm audit
Feature
Create a Pull Request comment
If vulnerabilities are found by npm audit, Action triggered by PR creates a
comment.
Create an Issue
If vulnerabilities are found by npm audit, Action triggered by push, schedule
creates the following GitHub Issue.
Usage
Inputs
| Parameter | Required | Default Value | Description |
|---|---|---|---|
| audit_level | false | low | The value of --audit-level flag |
| create_issues | false | true | Flag to create issues when vulnerabilities are found |
| create_pr_comments | false | true | Flag to create pr comments when vulnerabilities are found |
| dedupe_issues | false | false | Flag to de-dupe against open issues |
| github_context | false | ${{ toJson(github) }} |
The github context |
| github_token | true | N/A | GitHub Access Token. ${{ secrets.GITHUB_TOKEN }} is recommended. |
| issue_assignees | false | N/A | Issue assignees (separated by commma) |
| issue_labels | false | N/A | Issue labels (separated by commma) |
| issue_title | false | npm audit found vulnerabilities | Issue title |
| json_flag | false | false | Run npm audit with --json |
| production_flag | false | false | Run npm audit with --omit=dev |
| working_directory | false | N/A | The directory which contains package.json |
Outputs
| Parameter name | Description |
|---|---|
| npm_audit | The output of the npm audit report in a text format |
Example Workflow
name: npm audit
on:
pull_request:
push:
branches:
- main
- 'releases/*'
# on:
# schedule:
# - cron: '0 10 * * *'
jobs:
scan:
name: npm audit
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: install dependencies
run: npm ci
- uses: oke-py/npm-audit-action@v3
with:
audit_level: moderate
github_token: ${{ secrets.GITHUB_TOKEN }}
issue_assignees: oke-py
issue_labels: vulnerability,test
dedupe_issues: true
Development
Running Tests
This project uses Vitest for testing. To run the tests, use the following command:
npm run test
Vitest will execute all test files and provide a detailed report of the results. For coverage reports, you can use:
npm run test:coverage
Ensure all dependencies are installed before running the tests:
npm ci
This action is inspired by homoluctus/gitrivy.