Files
nick-doc/Issues/ISSUE-102-backend-14-high-severity-npm-vulns-no-audit-step-in-ci.md
Siavash Sameni dceaf82934 audit: 2026-05-30 full-codebase audit — report, issues, docs, runbooks
Full-codebase-audit 2026-05-30 outputs:
- Audit report: 09 - Audits/Full Codebase Audit - 2026-05-30.md
- 81 issue files ISSUE-055..135 (decisions + 1 skipped no-brainer).
- Scanner docs from scratch (was zero): architecture, data model, API ref, payment
  flow, operations runbook + repo README.
- Doc-sync updates across API reference, data models, flows, design system.
- Secret Rotation Runbook (08 - Operations) for the exposed credentials.
- Reusable workflow guide (07 - Development) + .claude/workflows/full-codebase-audit.js.

Issues remain status:open intentionally — the code fixes are uncommitted-then-committed
working-tree changes per repo and aren't "resolved" until merged/deployed.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-05-30 18:48:04 +04:00

1.3 KiB

issue, title, severity, domain, labels, status, created, source
issue title severity domain labels status created source
102 Backend: 14 high-severity npm vulnerabilities, no audit step in CI medium Dependencies
security
backend
dependencies
ci-cd
open 2026-05-30 Full Codebase Audit 2026-05-30

Backend: 14 high-severity npm vulnerabilities, no audit step in CI

Severity: medium Domain: Dependencies Labels: security, backend, dependencies, ci-cd

Description

npm audit reports 14 high-severity vulnerabilities in backend production dependencies (packages include mongoose, multer, axios, and others). No CI pipeline step runs npm audit, so new vulnerabilities silently accumulate.

Options

  1. Add npm audit (or audit-ci) as a non-blocking report step first, then make blocking.
  2. Upgrade the flagged packages and add a blocking audit gate.
  3. Adopt Renovate/Dependabot plus a CI audit step.

Recommendation

Add an audit step (start as report), prioritize upgrading the 14 highs, then make the gate blocking. Package upgrades risk breakage — test before making the gate mandatory.

Affected Files

  • backend/package.json
  • backend/.woodpecker/development.yml — add audit step

References