Merge pull request #2976 from ably/stop-the-second-coming

kennethkalmer · web-flow · commit 9057fa8cd763 · 2025-11-26T10:27:16.000Z
[WEB-4835] Add Shai Hulud supply chain attack protections
diff --git a/.circleci/config.yml b/.circleci/config.yml
@@ -50,6 +50,27 @@ jobs:
       - store_artifacts:
           path: coverage
 
+  security-audit:
+    executor:
+      name: default
+    steps:
+      - checkout
+      - attach_workspace:
+          at: .
+      - run:
+          name: Run security audit
+          command: |
+            yarn audit --level critical || {
+              EXIT_CODE=$?
+              if [ $EXIT_CODE -eq 16 ]; then
+                echo "❌ Critical vulnerabilities found"
+                exit 1
+              else
+                echo "✓ No critical vulnerabilities (exit code: $EXIT_CODE)"
+                exit 0
+              fi
+            }
+
   build:
     environment:
       ASSET_COMPRESSION_ITERATIONS: 1
@@ -143,6 +164,9 @@ workflows:
     unless: << pipeline.parameters.content-update >>
     jobs:
       - install-dependencies
+      - security-audit:
+          requires:
+            - install-dependencies
       - test:
           requires:
             - install-dependencies
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -0,0 +1,32 @@
+version: 2
+
+updates:
+  - package-ecosystem: "npm"
+    directory: "/"
+    schedule:
+      interval: "daily"
+    # Security: 7-day cooldown gives the community time to detect and report
+    # malicious packages before they're automatically proposed for our codebase
+    # This protects against supply chain attacks like Shai Hulud
+    # See internal security docs: Search Confluence Web space for 'Supply Chain Security'
+    cooldown:
+      default-days: 7
+      include: ['*']
+    # Check for security updates and dependencies
+    open-pull-requests-limit: 2
+    ignore:
+      - dependency-name: "posthog-js"
+    versioning-strategy: increase
+
+  # Separate group for posthog-js which is aggressive in releasing updates
+  - package-ecosystem: npm
+    directory: "/"
+    schedule:
+      interval: weekly
+    cooldown:
+      default-days: 7
+      include: ['*']
+    open-pull-requests-limit: 2
+    versioning-strategy: increase
+    allow:
+      - dependency-name: "posthog-js"
