All Docs
FeaturesCalmony PayUpdated March 15, 2026

Dependency Vulnerability Scanning

Dependency Vulnerability Scanning

Calmony Pay uses two complementary mechanisms to keep its production dependency tree free of known vulnerabilities: npm audit in CI and automated Dependabot update PRs.

npm audit in CI

Every push to main and every pull request runs npm audit as an explicit CI step:

- name: Audit production dependencies
  run: npm audit --audit-level=high --omit=dev
  continue-on-error: true

Flags explained

FlagEffect
--audit-level=highFails the step if any high or critical CVE is found. Moderate and low severities are printed to the log but do not fail CI.
--omit=devRestricts the scan to runtime (production) dependencies. Dev-only packages such as test runners and linters are excluded.
continue-on-error: trueKeeps the full build log visible even when the audit fails, so the CVE details are always accessible in the CI output.

What happens when a CVE is found

  1. The audit step exits with a non-zero code.
  2. CI marks the job as failed.
  3. The PR cannot be merged until the vulnerability is resolved — either by upgrading the affected package or by accepting the risk and explicitly updating the audit configuration.

Dependabot

Dependabot is configured to open weekly grouped PRs for both npm packages and GitHub Actions runners.

npm packages

  • Schedule: Every Monday at 06:00 Europe/London
  • Grouping: Minor and patch bumps are grouped into a single PR per week to reduce review noise. Major-version bumps remain as individual PRs for deliberate review.
  • Open PR limit: 10
  • Labels: dependencies, security

GitHub Actions

  • Schedule: Every Monday at 06:00 Europe/London
  • Open PR limit: 5
  • Labels: dependencies, ci

What was removed in v1.0.37

Previous configuration suppressed patch updates for eslint* and @types/* packages via ignore rules. These rules have been removed. All packages — including dev tooling — now receive timely Dependabot PRs so that transitive vulnerabilities in development dependencies are not silently left behind.

Custom commit-message.prefix overrides (chore(deps) and chore(actions)) were also removed. Dependabot's default commit message format is used instead.

CI lock-file behaviour

This repository does not commit a package-lock.json or equivalent lock file. The actions/setup-node cache parameter is intentionally omitted to prevent the runner from failing while searching for a lock file that does not exist:

- uses: actions/setup-node@v4
  with:
    node-version: 20
    # cache is intentionally omitted — no lock file is committed to this repo

Dependency resolution is handled entirely by npm install at build time.