Skip to content

Replace pnpm audit with osv-scanner#334

Merged
umair-ably merged 1 commit intomainfrom
fix/replace-pnpm-audit-with-osv-scanner
Apr 16, 2026
Merged

Replace pnpm audit with osv-scanner#334
umair-ably merged 1 commit intomainfrom
fix/replace-pnpm-audit-with-osv-scanner

Conversation

@umair-ably
Copy link
Copy Markdown
Collaborator

@umair-ably umair-ably commented Apr 15, 2026

Summary

  • npm has retired the legacy audit endpoints (/-/npm/v1/security/audits/quick and /-/npm/v1/security/audits) returning 410 for all requests (pnpm/pnpm#11265). This affects all pnpm 10.x/11.x versions with no upstream fix available.
  • Replaces pnpm audit with Google's osv-scanner, which reads lockfiles directly against the OSV database — no dependency on the npm registry API.
  • A single bin/osv-audit script handles downloading, checksum-verifying, and running osv-scanner. Same script used in ably/website#8255.
  • Supports --level critical|high|medium|low to control the failure threshold (set to critical to match the previous pnpm audit --audit-level=critical behaviour).
  • CI workflow simplified: no pnpm/node setup or pnpm install needed since osv-scanner reads lockfiles directly.

Changes

  • bin/osv-audit — new script that downloads osv-scanner (pinned to v2.3.5), verifies the binary against release SHA256 checksums, scans specified lockfiles, and fails only if vulnerabilities at or above the configured severity threshold are found.
  • .github/workflows/audit.yml — replaced pnpm audit with bin/osv-audit --level critical; removed pnpm/node setup steps and pnpm install (no longer needed). Scans all three lockfiles: root, examples/web-cli, and packages/react-web-cli.

Keeping osv-scanner up to date

The osv-scanner binary version is pinned in bin/osv-audit. This is intentional — the vulnerability database is fetched live from osv.dev on every scan, so an older binary doesn't miss CVEs. Releases happen every 3-5 weeks and are mostly additive (new ecosystem support, performance, bug fixes). The core lockfile scanning path is stable.

Bumping the version is a one-line change to OSV_SCANNER_VERSION — the checksum verification fetches the matching SHA256SUMS from the same release, so no other changes are needed.

Test plan

  • Security Audit GitHub Actions job passes
  • Verified locally: bin/osv-audit --level critical pnpm-lock.yaml passes (0 critical vulns)
  • Verified locally: bin/osv-audit --level critical pnpm-lock.yaml examples/web-cli/pnpm-lock.yaml packages/react-web-cli/pnpm-lock.yaml passes (0 critical, 19 high, 17 medium, 8 low — all below threshold)

@vercel
Copy link
Copy Markdown

vercel bot commented Apr 15, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
cli-web-cli Ready Ready Preview, Comment Apr 15, 2026 6:14pm

Request Review

@umair-ably
Replace pnpm audit with osv-scanner
951269c 
npm has retired the legacy audit endpoints that pnpm uses, returning
410 for all requests (pnpm/pnpm#11265). This affects all pnpm 10.x
and 11.x versions with no upstream fix available.

Replace pnpm audit with Google's osv-scanner, which reads lockfiles
directly against the OSV database without depending on the npm
registry API. A single bin/osv-audit script downloads a pinned,
checksum-verified osv-scanner binary and scans all three lockfiles
(root, examples/web-cli, packages/react-web-cli).

The CI workflow is simplified: no pnpm/node setup or dependency
install needed since osv-scanner reads lockfiles directly.
@umair-ably umair-ably force-pushed the fix/replace-pnpm-audit-with-osv-scanner branch from 5966414 to 951269c Compare April 15, 2026 18:13
@claude-code-ably-assistant
Copy link
Copy Markdown

claude-code-ably-assistant bot commented Apr 15, 2026

Walkthrough

This PR replaces pnpm audit in the Security Audit CI workflow with Google's osv-scanner. The change was necessary because npm retired its legacy audit endpoints (/-/npm/v1/security/audits/*), causing pnpm audit to return HTTP 410 errors across all pnpm 10.x/11.x versions with no upstream fix available. The new approach reads lockfiles directly against the OSV database without requiring npm registry access, Node.js setup, or a pnpm install step.

Changes

Area Files Summary
CI / Config .github/workflows/audit.yml Replaces 4-step pnpm audit job (setup-pnpm, setup-node, install, audit) with a single bin/osv-audit invocation; now scans all three lockfiles explicitly
Scripts bin/osv-audit (new, 156 lines) Bash script that downloads a pinned (v2.3.5), checksum-verified osv-scanner binary, scans one or more lockfiles, and exits non-zero only if vulnerabilities meet or exceed the configured --level threshold

Review Notes

  • New external binary download at CI time: bin/osv-audit fetches the osv-scanner binary from GitHub Releases on each run (pinned to v2.3.5, SHA256-verified, cached in /tmp). Reviewers should confirm the checksum verification logic is solid and that the download URL pattern matches the osv-scanner release structure.
  • jq dependency: The script requires jq to parse scanner output. It is not installed explicitly in the updated workflow step — worth confirming it is available on the GitHub-hosted runner image (ubuntu-latest ships with jq, but this is implicit).
  • Broader lockfile coverage: All three lockfiles (root, examples/web-cli, packages/react-web-cli) are now explicitly scanned. The previous pnpm audit covered the root workspace only, so this is an improvement in coverage.
  • CVSS score mapping: The --level flag maps to CVSS thresholds (critical ≥ 9.0, high ≥ 7.0, medium ≥ 4.0, low > 0). This is a reasonable approximation but may not exactly match advisory-level labels from every ecosystem.
  • No application code or test changes: This is a pure CI infrastructure change — no source files, commands, or unit tests are affected.

Generated by Claude Code

sacOO7
sacOO7 reviewed Apr 15, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@sacOO7 sacOO7 left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Seems pnpm audit is green again on main
osv-scanner can be made fallback to pnpm audit wdyt
Not sure how many times pnpm audit goes down

@sacOO7
Copy link
Copy Markdown
Contributor

sacOO7 commented Apr 16, 2026

Seems pnpm audit is green again on main osv-scanner can be made fallback to pnpm audit wdyt Not sure how many times pnpm audit goes down

Seems, we can't trust pnpm audit, it started failing again : (

@umair-ably
Copy link
Copy Markdown
Collaborator Author

umair-ably commented Apr 16, 2026

yeah let's get this in... there's no need for fallbacks if 1 tool just works as expected (for something in a non business critical path) @sacOO7

sacOO7
sacOO7 approved these changes Apr 16, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@sacOO7 sacOO7 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM 👍

@umair-ably umair-ably merged commit 12ef045 into main Apr 16, 2026
14 of 16 checks passed
@umair-ably umair-ably deleted the fix/replace-pnpm-audit-with-osv-scanner branch April 16, 2026 09:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sacOO7 sacOO7 sacOO7 approved these changes

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@umair-ably @sacOO7