Harden the supply chain with an audit step and automated dependency updates
Description
The dependency surface in package.json (Express 4 plus a dev toolchain) has no automated vulnerability monitoring: .github/workflows/ci.yml runs only install/build/test, there is no npm audit gate, and there is no Dependabot or Renovate config in .github/. A known CVE in Express or a transitive dependency could sit unpatched indefinitely. For a billing gateway this is an avoidable supply-chain risk. This issue adds audit and automated updates.
Requirements and context
- Repository scope: Agentpay-Org/Agentpay-backend only.
- Add a CI job step running
npm audit --audit-level=high (non-blocking initially or blocking with a documented allowlist) so high/critical advisories surface on every build.
- Add
.github/dependabot.yml configured for the npm ecosystem (and github-actions) with a sensible schedule and grouping.
- Pin/verify the Node version used in CI matches the
engines field (>=18.18).
- Document the update/triage policy briefly.
Suggested execution
- Fork the repo and create a branch
git checkout -b security/ci-83-audit-dependabot- Implement changes
- Write code in: add an audit step to
.github/workflows/ci.yml and add .github/dependabot.yml.
- Write comprehensive tests in: none required; the CI run is the gate.
- Add documentation: document the audit step and Dependabot policy in
README.md or CONTRIBUTING.
- Keep the audit threshold pragmatic to avoid blocking on unfixable transitive lows.
- Validate security assumptions: high/critical advisories are visible on every PR.
- Test and commit
Test and commit
- Run
npm audit, npm test, and npm run lint locally.
- Confirm the CI job runs the audit step and Dependabot config validates.
- Include the
npm audit summary in the PR description.
Example commit message
security: add npm audit ci step and dependabot config
Guidelines
- Minimum 95 percent test coverage for impacted modules (where applicable).
- Clear, reviewer-focused documentation.
- Timeframe: 96 hours.
Community & contribution rewards
- 💬 Join the AgentPay community on Discord for questions, reviews, and faster merges: https://discord.gg/eXvRKkgcv
- ⭐ This is a GrantFox OSS / Official Campaign task and may be rewarded. When your PR is merged you'll be prompted to rate the project — if this issue and the maintainers helped you ship, we'd be grateful for a 5-star rating. Clear questions in Discord and tidy, well-tested PRs are the fastest path to a merge and a reward.
Harden the supply chain with an audit step and automated dependency updates
Description
The dependency surface in
package.json(Express 4 plus a dev toolchain) has no automated vulnerability monitoring:.github/workflows/ci.ymlruns only install/build/test, there is nonpm auditgate, and there is no Dependabot or Renovate config in.github/. A known CVE in Express or a transitive dependency could sit unpatched indefinitely. For a billing gateway this is an avoidable supply-chain risk. This issue adds audit and automated updates.Requirements and context
npm audit --audit-level=high(non-blocking initially or blocking with a documented allowlist) so high/critical advisories surface on every build..github/dependabot.ymlconfigured for thenpmecosystem (andgithub-actions) with a sensible schedule and grouping.enginesfield (>=18.18).Suggested execution
git checkout -b security/ci-83-audit-dependabot.github/workflows/ci.ymland add.github/dependabot.yml.README.mdorCONTRIBUTING.Test and commit
npm audit,npm test, andnpm run lintlocally.npm auditsummary in the PR description.Example commit message
security: add npm audit ci step and dependabot configGuidelines
Community & contribution rewards