Skip to content

fix: CI workflow errors and dependency vulnerabilities#182

Merged
Dami24-hub merged 1 commit into
mainfrom
fix/ci-workflow-and-audit-vulns
Jul 2, 2026
Merged

fix: CI workflow errors and dependency vulnerabilities#182
Dami24-hub merged 1 commit into
mainfrom
fix/ci-workflow-and-audit-vulns

Conversation

@Dami24-hub

Copy link
Copy Markdown
Contributor

Summary

Fixes all errors in the CI workflow and resolves failing audit-npm job.

CI Workflow fixes (.github/workflows/ci.yml)

Issue Fix
actions-rs/toolchain@v1 — archived/unmaintained action Replaced with dtolnay/rust-toolchain@master in all 5 Rust jobs
actions-rs/tarpaulin@v0.1 — archived action Replaced with cargo install cargo-tarpaulin --locked + direct run
trufflesecurity/trufflehog@main — unpinned, supply-chain risk Pinned to v3.95.7
Rust toolchain hardcoded to 1.79.0 but rust-toolchain.toml pins 1.78.0 Switched to toolchain: filerust-toolchain.toml is now the single source of truth
--no-verification flag contradicts --results=verified,unknown in trufflehog args Removed --no-verification

Dependency fixes (package.json)

Package Before After Severity
vitest 1.6.1 3.2.6 Critical — esbuild CVE GHSA-67mh-4wv8-2f99
@opentelemetry/auto-instrumentations-node 0.46.0 0.77.0 High — Prometheus crash via malformed HTTP request
@opentelemetry/sdk-node 0.46.0 0.219.0 High — cascading from above

npm audit --audit-level=high now returns found 0 vulnerabilities.

Test fix (tests/stream.test.ts)

Added ! non-null assertion on mock.calls[0]! — vitest v3 updated its type definitions to correctly reflect noUncheckedIndexedAccess, which the prior v1 types silently ignored.

- Replace deprecated actions-rs/toolchain@v1 with dtolnay/rust-toolchain
  in all Rust CI jobs (test, test-rust, lint-rust, coverage-rust, audit-rust)
- Replace deprecated actions-rs/tarpaulin@v0.1 with direct cargo install
- Pin trufflesecurity/trufflehog to v3.95.7 instead of @main
- Fix Rust toolchain version: switch from hardcoded 1.79.0 to 'toolchain: file'
  so rust-toolchain.toml (which pins 1.78.0) is the source of truth
- Remove --no-verification flag from trufflehog args (conflicts with
  --results=verified,unknown)
- Upgrade vitest 1.6.1 -> 3.2.6 (fixes critical esbuild CVE GHSA-67mh-4wv8-2f99)
- Upgrade @opentelemetry/sdk-node 0.46.0 -> 0.219.0 (fixes high severity vuln)
- Upgrade @opentelemetry/auto-instrumentations-node 0.46.0 -> 0.77.0 (fixes high)
- Fix tests/stream.test.ts: add non-null assertion on mock.calls[0]! to satisfy
  noUncheckedIndexedAccess with updated vitest v3 type definitions
@Dami24-hub Dami24-hub merged commit 58f83b2 into main Jul 2, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant