Skip to content

ci(root): migrate dependency audit from improved-yarn-audit to osv-scanner#9263

Open
roshan-bitgo wants to merge 1 commit into
masterfrom
fix/migrate-to-osv-scanner
Open

ci(root): migrate dependency audit from improved-yarn-audit to osv-scanner#9263
roshan-bitgo wants to merge 1 commit into
masterfrom
fix/migrate-to-osv-scanner

Conversation

@roshan-bitgo

@roshan-bitgo roshan-bitgo commented Jul 15, 2026

Copy link
Copy Markdown
Contributor

Summary

Replaces improved-yarn-audit with google/osv-scanner-action in both release workflows.

Why: npm permanently retired the legacy security audits endpoint (/-/npm/v1/security/audits) on 2026-07-15 with HTTP 410. Yarn v1's yarn audit calls this endpoint; improved-yarn-audit wraps yarn audit and inherits the breakage. The yarn team closed the fix as "not planned" — yarn classic's audit is permanently broken.

Why osv-scanner: Unlike audit-ci (which also calls yarn audit --json under the hood for Yarn Classic), osv-scanner reads yarn.lock directly and queries the OSV.dev database. No npm registry dependency. Works identically locally and in CI.

Changes

  • .github/workflows/publish.yml — replace broken audit step with osv-scanner-action@v2
  • .github/workflows/npmjs-release.yml — replace broken audit step with osv-scanner-action@v2
  • package.json — remove improved-yarn-audit devDependency and audit-high script
  • osv-scanner.toml — new config; all 14 exclusions migrated 1:1 from .iyarc with original justifications preserved
  • .iyarc — deleted (superseded by osv-scanner.toml)
  • .claude/agents/iyarc-prune.md — updated all references to osv-scanner.toml and new CLI invocation

Security posture

All 14 existing CVE exclusions are preserved with their original justifications. Severity threshold remains HIGH+. No change to which vulnerabilities are accepted.

Follows the immediate unblock in #9262. Tracked in VL-7134.

@roshan-bitgo roshan-bitgo force-pushed the fix/migrate-to-osv-scanner branch from 4225a46 to 8cb6db4 Compare July 15, 2026 13:55
@roshan-bitgo roshan-bitgo changed the title ci(publish): migrate dependency audit from improved-yarn-audit to osv-scanner ci(root): migrate dependency audit from improved-yarn-audit to osv-scanner Jul 15, 2026
@roshan-bitgo roshan-bitgo force-pushed the fix/migrate-to-osv-scanner branch from 8cb6db4 to c71679c Compare July 15, 2026 14:02
@roshan-bitgo roshan-bitgo marked this pull request as ready for review July 15, 2026 14:16
@roshan-bitgo roshan-bitgo requested review from a team as code owners July 15, 2026 14:16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants