Replace pnpm audit with osv-scanner

[umair-ably]

Summary

• npm has retired the legacy audit endpoints (/-/npm/v1/security/audits/quick and /-/npm/v1/security/audits) returning 410 for all requests (pnpm/pnpm#11265). This affects all pnpm 10.x/11.x versions with no upstream fix available.
• Replaces pnpm audit with Google's osv-scanner, which reads lockfiles directly against the OSV database — no dependency on the npm registry API.
• A single bin/osv-audit script handles downloading, checksum-verifying, and running osv-scanner. Same script used in ably/website#8255.
• Supports --level critical|high|medium|low to control the failure threshold (set to critical to match the previous pnpm audit --audit-level=critical behaviour).
• CI workflow simplified: no pnpm/node setup or pnpm install needed since osv-scanner reads lockfiles directly.

Changes

• bin/osv-audit — new script that downloads osv-scanner (pinned to v2.3.5), verifies the binary against release SHA256 checksums, scans specified lockfiles, and fails only if vulnerabilities at or above the configured severity threshold are found.
• .github/workflows/audit.yml — replaced pnpm audit with bin/osv-audit --level critical; removed pnpm/node setup steps and pnpm install (no longer needed). Scans all three lockfiles: root, examples/web-cli, and packages/react-web-cli.

Keeping osv-scanner up to date

The osv-scanner binary version is pinned in bin/osv-audit. This is intentional — the vulnerability database is fetched live from osv.dev on every scan, so an older binary doesn't miss CVEs. Releases happen every 3-5 weeks and are mostly additive (new ecosystem support, performance, bug fixes). The core lockfile scanning path is stable.

Bumping the version is a one-line change to OSV_SCANNER_VERSION — the checksum verification fetches the matching SHA256SUMS from the same release, so no other changes are needed.

Test plan

• Security Audit GitHub Actions job passes
• Verified locally: bin/osv-audit --level critical pnpm-lock.yaml passes (0 critical vulns)
• Verified locally: bin/osv-audit --level critical pnpm-lock.yaml examples/web-cli/pnpm-lock.yaml packages/react-web-cli/pnpm-lock.yaml passes (0 critical, 19 high, 17 medium, 8 low — all below threshold)

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
cli-web-cli	Ready	Preview, Comment	Apr 15, 2026 6:14pm

[claude-code-ably-assistant]

Walkthrough

This PR replaces pnpm audit in the Security Audit CI workflow with Google's osv-scanner. The change was necessary because npm retired its legacy audit endpoints (/-/npm/v1/security/audits/*), causing pnpm audit to return HTTP 410 errors across all pnpm 10.x/11.x versions with no upstream fix available. The new approach reads lockfiles directly against the OSV database without requiring npm registry access, Node.js setup, or a pnpm install step.

Changes

Area	Files	Summary
CI / Config	.github/workflows/audit.yml	Replaces 4-step pnpm audit job (setup-pnpm, setup-node, install, audit) with a single bin/osv-audit invocation; now scans all three lockfiles explicitly
Scripts	bin/osv-audit (new, 156 lines)	Bash script that downloads a pinned (v2.3.5), checksum-verified osv-scanner binary, scans one or more lockfiles, and exits non-zero only if vulnerabilities meet or exceed the configured --level threshold

Review Notes

• New external binary download at CI time: bin/osv-audit fetches the osv-scanner binary from GitHub Releases on each run (pinned to v2.3.5, SHA256-verified, cached in /tmp). Reviewers should confirm the checksum verification logic is solid and that the download URL pattern matches the osv-scanner release structure.
• jq dependency: The script requires jq to parse scanner output. It is not installed explicitly in the updated workflow step — worth confirming it is available on the GitHub-hosted runner image (ubuntu-latest ships with jq, but this is implicit).
• Broader lockfile coverage: All three lockfiles (root, examples/web-cli, packages/react-web-cli) are now explicitly scanned. The previous pnpm audit covered the root workspace only, so this is an improvement in coverage.
• CVSS score mapping: The --level flag maps to CVSS thresholds (critical ≥ 9.0, high ≥ 7.0, medium ≥ 4.0, low > 0). This is a reasonable approximation but may not exactly match advisory-level labels from every ecosystem.
• No application code or test changes: This is a pure CI infrastructure change — no source files, commands, or unit tests are affected.

---

Generated by Claude Code

[sacOO7]

Seems pnpm audit is green again on main
osv-scanner can be made fallback to pnpm audit wdyt
Not sure how many times pnpm audit goes down