Skip to content

Automate npm audit fix via daily GitHub Action #3645

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
Copilot wants to merge 4 commits into
base: master
Choose a base branch
from
Draft

Automate npm audit fix via daily GitHub Action #3645

Copilot wants to merge 4 commits into from
+64 −0

Conversation

Copy link
Contributor

Copilot AI commented Jan 22, 2026
edited
Loading

Automates vulnerability patching across all package.json files by running npm audit fix daily and opening a PR with changes.

Implementation

  • Workflow: .github/workflows/update-npm-audit.yml

    • Scheduled daily at 17:00 UTC (noon ET)
    • Triggers on: schedule, workflow_dispatch
    • Uses Node.js 22.13.0 with npm caching

  • Execution order (respects dependency chain):

    1. src/RealtimeServer
    2. src/SIL.XForge.Scripture/ClientApp
    3. scripts/db_tools

  • Process per package: npm cinpm audit fix → commit changes

  • PR creation: Uses peter-evans/create-pull-request@v7.0.5 (consistent with update-font-list.yml and update-localizations.yml)

The workflow continues on error to handle packages with no vulnerabilities.

Original prompt

We often need to update NPM dependencies due to vulnterabilities, by running npm audit fix. It would be good to automate this using a GitHub action, and automatically open a PR.

A couple notes:

  • We already have some actions that automatically create PRs. Please use the same approach in the action you create.
  • There are several package.json files in the repo. They should all have npm audit fix run.
  • The packages in ClientApp depend on the packages in RealtimeServer, so make sure to run it in RealtimeServer first, before ClientApp.
  • Please make it run daily around noon eastern time.

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

This change is Reviewable

Copilot AI and others added 3 commits January 22, 2026 19:12
@Nateowami
Add GitHub Action to automate npm audit fix
4bed824 
Co-authored-by: Nateowami <6140710+Nateowami@users.noreply.github.com>
@Nateowami
Fix comment to use consistent time format
19c802c 
Co-authored-by: Nateowami <6140710+Nateowami@users.noreply.github.com>
@Nateowami
Install dependencies before running npm audit fix
f42f525 
Co-authored-by: Nateowami <6140710+Nateowami@users.noreply.github.com>
Copilot AI changed the title [WIP] Add GitHub action to automate NPM dependency updates Automate npm audit fix via daily GitHub Action Jan 22, 2026
Copilot AI requested a review from Nateowami January 22, 2026 19:16
github-advanced-security[bot]
github-advanced-security bot found potential problems Jan 22, 2026
View reviewed changes
.github/workflows/update-npm-audit.yml

steps:
- name: Checkout repository
uses: actions/checkout@v5

Check failure

Code scanning / zizmor

unpinned action reference Error

unpinned action reference
.github/workflows/update-npm-audit.yml
persist-credentials: true

- name: Set up Node
uses: actions/setup-node@v5

Check failure

Code scanning / zizmor

unpinned action reference Error

unpinned action reference
@codecov
Copy link

codecov bot commented Jan 22, 2026

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 83.52%. Comparing base (6563e48) to head (f42f525).
✅ All tests successful. No failed tests found.

Additional details and impacted files 
@@           Coverage Diff           @@
##           master    #3645   +/-   ##
=======================================
  Coverage   83.52%   83.52%           
=======================================
  Files         610      610           
  Lines       37512    37512           
  Branches     6172     6148   -24     
=======================================
  Hits        31332    31332           
- Misses       5226     5239   +13     
+ Partials      954      941   -13

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@Nateowami
Copy link
Collaborator

Nateowami commented Jan 22, 2026

This PR has Zizmor failures that should be fixed by the merging of #3646.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Nateowami Nateowami Awaiting requested review from Nateowami

At least 1 approving review is required to merge this pull request.

Assignees

@Nateowami Nateowami

Copilot code review Copilot

Labels

testing not required

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Nateowami