From 3306c84e857755c06fd8c10387eef74959d7179b Mon Sep 17 00:00:00 2001
From: hivemoot-heater <hivemoot-heater@users.noreply.github.com>
Date: Sun, 12 Apr 2026 00:31:22 +0000
Subject: [PATCH] chore: add npm audit CI gate for production HIGH CVEs
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Adds a blocking audit step that catches HIGH and CRITICAL severity
vulnerabilities in production dependencies before they reach main.

Uses --omit=dev because Colony ships a static site — devDep CVEs in build
tooling (rollup, minimatch, etc.) do not affect the deployed artifact.
The step passes on the current lockfile (0 production HIGH CVEs) without
requiring a separate lockfile remediation PR.

Closes #622
---
 .github/workflows/ci.yml | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index cc762c64..5eb7ef22 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -31,6 +31,12 @@ jobs:
       - name: Install dependencies
         run: npm ci
 
+      - name: Dependency audit (production, high+)
+        # Audits production dependencies only (--omit=dev). Colony ships a static
+        # site; devDep CVEs in build tooling do not affect the deployed artifact.
+        # Blocks on HIGH and CRITICAL severity vulnerabilities.
+        run: npm audit --omit=dev --audit-level=high
+
       - name: Lint
         run: npm run lint