Strengthening Supply Chain Security: Automated Dependency Vulnerability Scanning
Strengthening Supply Chain Security: Automated Dependency Vulnerability Scanning
Release: v1.0.36
Security Control: SEC-25
Category: Dependency Security
Background
Calmony Pay depends on more than 40 production npm packages, including critical libraries such as Stripe, NextAuth, and AWS SDKs. These packages receive regular updates — including security patches — from their maintainers.
Prior to this release, the CI pipeline had no mechanism to detect known vulnerabilities in these dependencies. There was no call to npm audit, no Dependabot configuration, and no third-party scanner (e.g. Snyk) integrated into the workflow. This meant that a dependency could silently carry a High or Critical CVE through to production without any automated alert.
SEC-25 was raised to close this gap.
What Was Implemented
1. npm audit in CI
The CI workflow (.github/workflows/ci.yml) now runs the following step immediately after npm install:
- name: Audit dependencies
run: npm audit --audit-level=high
Behaviour:
- Queries the npm advisory database against the installed dependency tree.
- Exits with a non-zero code (failing the build) if any vulnerability rated High or Critical is found.
- Vulnerabilities rated Moderate or Low are reported but do not block the build.
This ensures no code can be merged or deployed while a known high-severity vulnerability exists in the dependency tree.
2. Dependabot Configuration
A new .github/dependabot.yml file has been added to the repository. Dependabot will now automatically open pull requests when newer versions of dependencies are available, covering:
- npm packages — application and development dependencies defined in
package.json. - GitHub Actions — workflow action versions referenced in
.github/workflows/.
This keeps the dependency tree current without requiring manual tracking, reducing the window of exposure between a vulnerability being published and a patch being applied.
What This Means in Practice
| Scenario | Before SEC-25 | After SEC-25 |
|---|---|---|
| High CVE published for a production dependency | No detection | CI fails; merge blocked |
| Patch released for a vulnerable dependency | Manual discovery required | Dependabot opens a PR automatically |
| GitHub Actions workflow uses an outdated action | No detection | Dependabot opens a PR automatically |
| Moderate/Low CVE in a dependency | No detection | Reported in CI output; build passes |
No Breaking Changes
This release contains no changes to the Calmony Pay API, its endpoints, request/response formats, or application behaviour. It is a CI infrastructure and security hardening change only.
Recommended Actions for Contributors
- If a CI run fails with an
npm auditerror, runnpm auditlocally to inspect the advisory andnpm audit fixto attempt an automatic resolution. - If an automatic fix is not available, the affected package must be manually updated or an exception must be documented and justified before the build can be unblocked.
- Review Dependabot PRs promptly — keeping dependencies up to date is now a shared responsibility enforced by the pipeline.