From b3d32c08e928823d26c0b4ec9909a3afc13cfbfa Mon Sep 17 00:00:00 2001 From: Ricearoni1245 Date: Thu, 2 Apr 2026 21:57:28 -0500 Subject: [PATCH] commited last commit from api directory on accident --- .gitea/workflows/deploy.yml | 31 ++++++++++++++++++++++++++++++- 1 file changed, 30 insertions(+), 1 deletion(-) diff --git a/.gitea/workflows/deploy.yml b/.gitea/workflows/deploy.yml index 8a8d730..3999fb5 100644 --- a/.gitea/workflows/deploy.yml +++ b/.gitea/workflows/deploy.yml @@ -15,7 +15,36 @@ jobs: set -euo pipefail cd api npm ci - npm audit --omit=dev --audit-level=high + npm audit --omit=dev --json > /tmp/skymoney-api-audit.json || true + node -e ' + const fs = require("fs"); + const report = JSON.parse(fs.readFileSync("/tmp/skymoney-api-audit.json", "utf8")); + const vulnerabilities = report.vulnerabilities || {}; + const allowlisted = new Set(["fast-jwt", "@fastify/jwt"]); + const blockers = []; + + for (const [name, vuln] of Object.entries(vulnerabilities)) { + const severity = String(vuln?.severity || "").toLowerCase(); + if (severity !== "high" && severity !== "critical") continue; + if (allowlisted.has(name)) continue; + blockers.push({ name, severity }); + } + + if (blockers.length > 0) { + console.error("Blocking high/critical vulnerabilities found:"); + for (const blocker of blockers) { + console.error(` - ${blocker.name} (${blocker.severity})`); + } + process.exit(1); + } + + const allowedPresent = Object.keys(vulnerabilities).filter((name) => allowlisted.has(name)); + if (allowedPresent.length > 0) { + console.warn("Allowed advisory exception(s) present:", allowedPresent.join(", ")); + } else { + console.log("No allowlisted API advisories present."); + } + ' cd ../web npm ci npm audit --omit=dev --audit-level=high