Skip to content

ci(validate-deps): replace retired pnpm audit with OSV-Scanner#2986

Merged
os-zhuang merged 5 commits into
mainfrom
claude/ci-validate-deps-pnpm-audit-riolle
Jul 16, 2026
Merged

ci(validate-deps): replace retired pnpm audit with OSV-Scanner#2986
os-zhuang merged 5 commits into
mainfrom
claude/ci-validate-deps-pnpm-audit-riolle

Conversation

@os-zhuang

@os-zhuang os-zhuang commented Jul 15, 2026

Copy link
Copy Markdown
Contributor

Problem

pnpm audit --audit-level=high in the Validate Package Dependencies workflow fails on every branch/PR since 2026-07-13. npm retired the audit endpoint:

ERR_PNPM_AUDIT_BAD_RESPONSE  The audit endpoint (at
https://registry.npmjs.org/-/npm/v1/security/audits/quick) responded with 410:
{"error":"This endpoint is being retired. Use the bulk advisory endpoint
instead. ..."}

pnpm (incl. latest) hasn't migrated to the bulk advisory endpoint, so upgrading pnpm is not a fix. The check is permanently red for all PRs. Fixes #2974.

Changes

1. Replace the retired pnpm audit step with OSV-Scanner (.github/workflows/validate-deps.yml) — the SHA-pinned google/osv-scanner-action/osv-scanner-action@…v2.3.8 scans pnpm-lock.yaml against the OSV database and exits non-zero on any advisory match. A blocking gate with no dependency on the retired npm endpoint. Verified working in CI (Validate Dependencies is green).

2. Trigger the workflow on changes to its own file so gate edits are exercised on the PR that introduces them.

3. Remediate the 9 pre-existing advisories the new gate surfaced (pnpm-workspace.yaml overrides + lockfile). OSV-Scanner blocks on any severity and flagged real vulns already in the lockfile (the old high-only gate would also be red — uuid is High):

Package Was Now Advisory
uuid 8.3.2 ^11.1.1 GHSA-w5hq-g745-h8pq (High)
postcss 8.4.31 ^8.5.10 GHSA-qx2v-qp2m-jg93
cookie 0.6.0 0.7.0 GHSA-pxg6-pf52-xh8x
svelte 5.55.3 ^5.55.7 GHSA-9rmh-mm8f-r9h6 + 3
@tootallnate/once 1.1.2 2.0.1 GHSA-vpq2-c234-7xj6 (Low)
@better-auth/oauth-provider 1.6.23 1.7.0-rc.1 GHSA-p2fr-6hmx-4528

uuid pins to the conservative ^11.1.1 LTS line. svelte is an optional peer-of-a-peer that overrides can't re-resolve alone, so it's additionally pinned via a root (private) svelte devDependency — documented in pnpm-workspace.yaml.

4. Align the whole better-auth family to 1.7.0-rc.1 + implement two new adapter methods (plugin-auth). The oauth-provider fix only ships in the 1.7 line, whose plugins import CLIENT_ASSERTION_TYPE (and more) from @better-auth/core 1.7.x — so pinning just the plugin against 1.6.23 core 500'd sign-in and failed the dogfood gates. Fix: pin better-auth + @better-auth/core + all @better-auth/* to 1.7.0-rc.1 (consistent stack; matches the pre-existing @better-auth/scim rc.1 pin). better-auth 1.7 also extends its CustomAdapter with consumeOne (atomic single-row consume — verification tokens on sign-in) and incrementOne (guarded counter mutation); the ObjectQL adapter now implements both as find-then-write mirrors of its existing delete/update methods.

5. Update the release hardening checklist (docs/HARDENING.md) to use osv-scanner.

Verification

  • No vulnerable version remains in pnpm-lock.yaml; pnpm install --frozen-lockfile is in sync.
  • Validate Dependencies (OSV gate): green.
  • @better-auth/core@1.7.0-rc.1 confirmed to export CLIENT_ASSERTION_TYPE; plugin-auth builds (types included); all 440 plugin-auth unit tests pass; plugin-auth is the only better-auth consumer. The dogfood gates (Test Core, Dogfood Regression Gate) validate the full sign-in path in CI.

🤖 Generated with Claude Code

https://claude.ai/code/session_015JoYhorCUhGc8bgFYsErfE

npm retired the audit endpoint (HTTP 410, "This endpoint is being
retired. Use the bulk advisory endpoint instead.") on 2026-07-13, and
pnpm has not migrated to the bulk advisory endpoint. As a result
`pnpm audit --audit-level=high` fails unconditionally on every branch and
PR, turning the Validate Package Dependencies check permanently red
(issue #2974).

Replace the step with google/osv-scanner-action (pinned by commit SHA),
which reads pnpm-lock.yaml directly against the OSV database and exits
non-zero when any advisory matches — restoring a working blocking
security gate without depending on the retired npm endpoint.

Also update the release hardening checklist in docs/HARDENING.md to use
osv-scanner, since `pnpm audit` no longer works locally either.

Note: OSV-Scanner gates on any severity rather than only high/critical.
Specific advisories can be accepted via an osv-scanner.toml
[[IgnoredVulns]] entry instead of lowering the gate.

Fixes #2974

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_015JoYhorCUhGc8bgFYsErfE
@vercel

vercel Bot commented Jul 15, 2026

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
spec Canceled Canceled Jul 15, 2026 5:06pm

Request Review

@github-actions github-actions Bot added documentation Improvements or additions to documentation ci/cd size/s labels Jul 15, 2026
claude added 2 commits July 15, 2026 15:37
So edits to the dependency-validation gates are exercised on the PR that
introduces them, rather than only when a dependency manifest changes.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_015JoYhorCUhGc8bgFYsErfE
The OSV-Scanner gate (replacing the retired `pnpm audit`) blocks on any
severity and surfaced 9 pre-existing advisories in pnpm-lock.yaml across
6 packages. Pin each to its patched line, following the existing
pnpm-workspace.yaml `overrides` convention:

  - uuid            8.3.2  -> ^11.1.1  GHSA-w5hq-g745-h8pq (high)
  - @better-auth/oauth-provider 1.6.23 -> 1.7.0-rc.1  GHSA-p2fr-6hmx-4528
  - postcss         8.4.31 -> ^8.5.10  GHSA-qx2v-qp2m-jg93
  - cookie          0.6.0  -> 0.7.0    GHSA-pxg6-pf52-xh8x
  - svelte          5.55.3 -> ^5.55.7  GHSA-9rmh-mm8f-r9h6 + 3 more
  - @tootallnate/once 1.1.2 -> 2.0.1   GHSA-vpq2-c234-7xj6 (low)

@better-auth/oauth-provider mirrors the existing @better-auth/scim
pre-release pin (same monorepo, same advisory class). uuid pins to the
conservative ^11.1.1 LTS line rather than the latest major.

svelte is an optional peer-of-a-peer (better-auth > @sveltejs/kit) that
`overrides` alone cannot re-resolve, so it is additionally pinned via a
`svelte` devDependency in the root (private) package.json so the peer
dedupes onto the patched 5.56.x line; both are documented in
pnpm-workspace.yaml.

Verified: no vulnerable version remains in the lockfile and
`pnpm install --frozen-lockfile` is in sync.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_015JoYhorCUhGc8bgFYsErfE
@github-actions github-actions Bot added the dependencies Pull requests that update a dependency file label Jul 15, 2026
The @better-auth/oauth-provider fix (GHSA-p2fr-6hmx-4528) only ships in the
1.7 line, whose plugins import CLIENT_ASSERTION_TYPE and other symbols that
exist only in @better-auth/core 1.7.x. Pinning oauth-provider to 1.7.0-rc.1
while core/better-auth stayed on 1.6.23 made sign-in 500 at runtime
("@better-auth/core/oauth2 does not provide an export named
CLIENT_ASSERTION_TYPE"), failing the dogfood regression gate.

Pin the ENTIRE better-auth family (better-auth, @better-auth/core, and all
@better-auth/* plugins/adapters) to 1.7.0-rc.1 via pnpm-workspace overrides so
the stack is internally consistent.

better-auth 1.7 also adds two methods to its CustomAdapter contract, now
implemented in the ObjectQL adapter as find-then-write mirrors of the existing
delete/update methods (ObjectQL has no native atomic primitive):
  - consumeOne: atomic single-row consume (used for verification tokens on the
    sign-in path)
  - incrementOne: guarded field = field + delta counter mutation

Verified locally: plugin-auth builds (dts included) and all 440 unit tests
pass; frozen-lockfile is in sync; only plugin-auth consumes better-auth.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_015JoYhorCUhGc8bgFYsErfE
@github-actions

github-actions Bot commented Jul 15, 2026

Copy link
Copy Markdown
Contributor

📓 Docs Drift Check

This PR changes 2 package(s): @objectstack/platform-objects, @objectstack/plugin-auth.

10 hand-written doc(s) reference the affected code and may need an implementation-accuracy re-verification:

  • content/docs/deployment/production-readiness.mdx (via @objectstack/plugin-auth)
  • content/docs/getting-started/cli.mdx (via @objectstack/plugin-auth)
  • content/docs/kernel/services-checklist.mdx (via @objectstack/plugin-auth)
  • content/docs/permissions/authentication.mdx (via @objectstack/plugin-auth)
  • content/docs/permissions/sso.mdx (via @objectstack/plugin-auth)
  • content/docs/plugins/index.mdx (via @objectstack/plugin-auth)
  • content/docs/plugins/packages.mdx (via @objectstack/platform-objects, @objectstack/plugin-auth)
  • content/docs/releases/implementation-status.mdx (via @objectstack/plugin-auth)
  • content/docs/releases/v9.mdx (via @objectstack/plugin-auth)
  • content/docs/ui/setup-app.mdx (via @objectstack/platform-objects)

Advisory only. To re-verify, run the docs-accuracy-audit workflow scoped to these files:
node scripts/docs-audit/affected-docs.mjs origin/main → pass the list as args.docs.

better-auth 1.7 extends its `jwks` model with two new optional columns — `alg`
(signing algorithm, e.g. EdDSA) and `crv` (curve, e.g. Ed25519) — and writes
them when minting signing keys. The `sys_jwks` platform object lacked both, so
every JWKS insert failed at the driver ("table sys_jwks has no column named
alg"), 500ing token signing. Sign-in itself succeeded, but session validation
(which touches the JWKS/JWT path) then failed, so every authenticated request
returned 401 — surfacing as the dogfood regression gate's "expected 201/403,
got 401" failures.

Add the two optional `alg`/`crv` text fields to sys_jwks. Legacy rows minted
before 1.7 leave them null; better-auth falls back to the configured
keyPairConfig.alg (default EdDSA).

Verified locally: the full @objectstack/dogfood suite passes (256 tests, 0
failures) with the better-auth family on 1.7.0-rc.1.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_015JoYhorCUhGc8bgFYsErfE
@os-zhuang os-zhuang marked this pull request as ready for review July 16, 2026 01:04
@os-zhuang os-zhuang merged commit aead168 into main Jul 16, 2026
17 checks passed
@os-zhuang os-zhuang deleted the claude/ci-validate-deps-pnpm-audit-riolle branch July 16, 2026 01:05
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

ci/cd dependencies Pull requests that update a dependency file documentation Improvements or additions to documentation size/m tooling

Projects

None yet

Development

Successfully merging this pull request may close these issues.

CI: validate-deps 的 pnpm audit 因 npm audit 端点退役(410)全线失败

2 participants