Skip to content

ci: run audit without package-lock.json file #326

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Oct 14, 2025
Merged

ci: run audit without package-lock.json file #326

merged 1 commit into from
Oct 14, 2025

Conversation

ewanharris
Copy link
Member

Description

What problem is being solved?

Prevents failing npm audit failures (as seen on multiple open PRs) because axios is pinned in the package-lock.json file to 1.11.0. This dependency is pulled in through @openfga/[email protected] which declares a range of ^1.8.3. This requires manual intervention to update the lockfile.

How is it being solved?

Rather than running an audit against the dependencies pinned within this project, instead introduce the --no-package-lock flag which will force npm to resolve the dependency tree and determine if there are any issues in the "live" dependencies rather than the (most likely) outdated lockfile references.

Given that this project is a library and not an app, (personal opinion incoming) there is more value in working against what a consumer of the library would install when downloading the library to be aware of any broken functionality rather than using lockfiles as a means of security (we can do, but ideally we should move to limiting token access/usage etc.)

What changes are made to solve it?

Introduce the --no-package-lock flag to npm audit.

References

https://docs.npmjs.com/cli/v9/commands/npm-audit#package-lock

Review Checklist

  • I have clicked on "allow edits by maintainers".
  • I have added documentation for new/changed functionality in this PR or in a PR to openfga.dev [Provide a link to any relevant PRs in the references section above]
  • The correct base branch is being used, if not main
  • I have added tests to validate that the change in functionality is working as expected

@ewanharris
ci: run audit without package-lock.json file
69f8247 
Auditing without package-lock.json to avoid false positives from dependencies
where the version range is actually safe but the lock file is pinning to a
vulnerable version.
@ewanharris ewanharris requested review from a team as code owners October 14, 2025 12:10
@ewanharris ewanharris added this pull request to the merge queue Oct 14, 2025
Merged via the queue into main with commit 6eba3d8 Oct 14, 2025
27 checks passed
@ewanharris ewanharris deleted the ci/audit-live-deps branch October 14, 2025 15:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sergiught sergiught sergiught approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@ewanharris @sergiught