ci(validate-deps): replace retired pnpm audit with OSV-Scanner#2986
Merged
Conversation
npm retired the audit endpoint (HTTP 410, "This endpoint is being retired. Use the bulk advisory endpoint instead.") on 2026-07-13, and pnpm has not migrated to the bulk advisory endpoint. As a result `pnpm audit --audit-level=high` fails unconditionally on every branch and PR, turning the Validate Package Dependencies check permanently red (issue #2974). Replace the step with google/osv-scanner-action (pinned by commit SHA), which reads pnpm-lock.yaml directly against the OSV database and exits non-zero when any advisory matches — restoring a working blocking security gate without depending on the retired npm endpoint. Also update the release hardening checklist in docs/HARDENING.md to use osv-scanner, since `pnpm audit` no longer works locally either. Note: OSV-Scanner gates on any severity rather than only high/critical. Specific advisories can be accepted via an osv-scanner.toml [[IgnoredVulns]] entry instead of lowering the gate. Fixes #2974 Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_015JoYhorCUhGc8bgFYsErfE
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
So edits to the dependency-validation gates are exercised on the PR that introduces them, rather than only when a dependency manifest changes. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_015JoYhorCUhGc8bgFYsErfE
The OSV-Scanner gate (replacing the retired `pnpm audit`) blocks on any severity and surfaced 9 pre-existing advisories in pnpm-lock.yaml across 6 packages. Pin each to its patched line, following the existing pnpm-workspace.yaml `overrides` convention: - uuid 8.3.2 -> ^11.1.1 GHSA-w5hq-g745-h8pq (high) - @better-auth/oauth-provider 1.6.23 -> 1.7.0-rc.1 GHSA-p2fr-6hmx-4528 - postcss 8.4.31 -> ^8.5.10 GHSA-qx2v-qp2m-jg93 - cookie 0.6.0 -> 0.7.0 GHSA-pxg6-pf52-xh8x - svelte 5.55.3 -> ^5.55.7 GHSA-9rmh-mm8f-r9h6 + 3 more - @tootallnate/once 1.1.2 -> 2.0.1 GHSA-vpq2-c234-7xj6 (low) @better-auth/oauth-provider mirrors the existing @better-auth/scim pre-release pin (same monorepo, same advisory class). uuid pins to the conservative ^11.1.1 LTS line rather than the latest major. svelte is an optional peer-of-a-peer (better-auth > @sveltejs/kit) that `overrides` alone cannot re-resolve, so it is additionally pinned via a `svelte` devDependency in the root (private) package.json so the peer dedupes onto the patched 5.56.x line; both are documented in pnpm-workspace.yaml. Verified: no vulnerable version remains in the lockfile and `pnpm install --frozen-lockfile` is in sync. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_015JoYhorCUhGc8bgFYsErfE
The @better-auth/oauth-provider fix (GHSA-p2fr-6hmx-4528) only ships in the 1.7 line, whose plugins import CLIENT_ASSERTION_TYPE and other symbols that exist only in @better-auth/core 1.7.x. Pinning oauth-provider to 1.7.0-rc.1 while core/better-auth stayed on 1.6.23 made sign-in 500 at runtime ("@better-auth/core/oauth2 does not provide an export named CLIENT_ASSERTION_TYPE"), failing the dogfood regression gate. Pin the ENTIRE better-auth family (better-auth, @better-auth/core, and all @better-auth/* plugins/adapters) to 1.7.0-rc.1 via pnpm-workspace overrides so the stack is internally consistent. better-auth 1.7 also adds two methods to its CustomAdapter contract, now implemented in the ObjectQL adapter as find-then-write mirrors of the existing delete/update methods (ObjectQL has no native atomic primitive): - consumeOne: atomic single-row consume (used for verification tokens on the sign-in path) - incrementOne: guarded field = field + delta counter mutation Verified locally: plugin-auth builds (dts included) and all 440 unit tests pass; frozen-lockfile is in sync; only plugin-auth consumes better-auth. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_015JoYhorCUhGc8bgFYsErfE
Contributor
📓 Docs Drift CheckThis PR changes 2 package(s): 10 hand-written doc(s) reference the affected code and may need an implementation-accuracy re-verification:
|
better-auth 1.7 extends its `jwks` model with two new optional columns — `alg`
(signing algorithm, e.g. EdDSA) and `crv` (curve, e.g. Ed25519) — and writes
them when minting signing keys. The `sys_jwks` platform object lacked both, so
every JWKS insert failed at the driver ("table sys_jwks has no column named
alg"), 500ing token signing. Sign-in itself succeeded, but session validation
(which touches the JWKS/JWT path) then failed, so every authenticated request
returned 401 — surfacing as the dogfood regression gate's "expected 201/403,
got 401" failures.
Add the two optional `alg`/`crv` text fields to sys_jwks. Legacy rows minted
before 1.7 leave them null; better-auth falls back to the configured
keyPairConfig.alg (default EdDSA).
Verified locally: the full @objectstack/dogfood suite passes (256 tests, 0
failures) with the better-auth family on 1.7.0-rc.1.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_015JoYhorCUhGc8bgFYsErfE
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
pnpm audit --audit-level=highin the Validate Package Dependencies workflow fails on every branch/PR since 2026-07-13. npm retired the audit endpoint:pnpm (incl. latest) hasn't migrated to the bulk advisory endpoint, so upgrading pnpm is not a fix. The check is permanently red for all PRs. Fixes #2974.
Changes
1. Replace the retired
pnpm auditstep with OSV-Scanner (.github/workflows/validate-deps.yml) — the SHA-pinnedgoogle/osv-scanner-action/osv-scanner-action@…v2.3.8scanspnpm-lock.yamlagainst the OSV database and exits non-zero on any advisory match. A blocking gate with no dependency on the retired npm endpoint. Verified working in CI (Validate Dependencies is green).2. Trigger the workflow on changes to its own file so gate edits are exercised on the PR that introduces them.
3. Remediate the 9 pre-existing advisories the new gate surfaced (
pnpm-workspace.yamloverrides + lockfile). OSV-Scanner blocks on any severity and flagged real vulns already in the lockfile (the old high-only gate would also be red —uuidis High):uuid^11.1.1postcss^8.5.10cookie0.7.0svelte^5.55.7@tootallnate/once2.0.1@better-auth/oauth-provider1.7.0-rc.1uuidpins to the conservative^11.1.1LTS line.svelteis an optional peer-of-a-peer thatoverridescan't re-resolve alone, so it's additionally pinned via a root (private)sveltedevDependency — documented inpnpm-workspace.yaml.4. Align the whole better-auth family to
1.7.0-rc.1+ implement two new adapter methods (plugin-auth). The oauth-provider fix only ships in the 1.7 line, whose plugins importCLIENT_ASSERTION_TYPE(and more) from@better-auth/core1.7.x — so pinning just the plugin against 1.6.23 core 500'd sign-in and failed the dogfood gates. Fix: pinbetter-auth+@better-auth/core+ all@better-auth/*to1.7.0-rc.1(consistent stack; matches the pre-existing@better-auth/scimrc.1 pin). better-auth 1.7 also extends itsCustomAdapterwithconsumeOne(atomic single-row consume — verification tokens on sign-in) andincrementOne(guarded counter mutation); the ObjectQL adapter now implements both as find-then-write mirrors of its existingdelete/updatemethods.5. Update the release hardening checklist (
docs/HARDENING.md) to useosv-scanner.Verification
pnpm-lock.yaml;pnpm install --frozen-lockfileis in sync.@better-auth/core@1.7.0-rc.1confirmed to exportCLIENT_ASSERTION_TYPE; plugin-auth builds (types included); all 440 plugin-auth unit tests pass; plugin-auth is the only better-auth consumer. The dogfood gates (Test Core,Dogfood Regression Gate) validate the full sign-in path in CI.🤖 Generated with Claude Code
https://claude.ai/code/session_015JoYhorCUhGc8bgFYsErfE