All Docs
FeaturesCalmony PayUpdated March 15, 2026

Dependency Vulnerability Scanning

Dependency Vulnerability Scanning

Calmony Pay's CI pipeline enforces automated dependency vulnerability scanning to detect and surface security issues in third-party packages before they reach production.

Overview

The project maintains 40+ production dependencies, including Stripe, NextAuth, and AWS SDKs. Any of these can receive security patches at any time. Two complementary mechanisms are in place to keep the dependency supply chain secure:

MechanismToolTriggerPurpose
Reactive scanningnpm auditEvery CI runFails the build if a high/critical vulnerability is present
Proactive updatesDependabotScheduledOpens PRs when newer, patched versions are available

CI Audit Step

After every npm install, the CI workflow runs:

npm audit --audit-level=high
  • Scope: All production and development dependencies.
  • Threshold: The step fails on any vulnerability rated high or critical. moderate and below are reported but do not block the build.
  • Effect: Pull requests that introduce or expose a high-severity vulnerability cannot be merged until the issue is resolved.

Responding to a Failed Audit

If npm audit fails in CI, resolve it using one of the following approaches:

  1. Upgrade the affected package to a patched version: 
    npm install <package>@latest
  2. Apply an automatic fix where available: 
    npm audit fix
  3. Force-fix breaking changes (use with care — test thoroughly): 
    npm audit fix --force
  4. Review the advisory if no fix exists yet, and assess whether the vulnerable code path is reachable in this project before deciding to accept or mitigate.

Dependabot Configuration

Dependabot is configured via .github/dependabot.yml and covers two ecosystems:

npm Packages

  • Dependabot checks for new versions of all npm dependencies on a scheduled basis.
  • When a newer version is available, it opens a pull request updating package.json and package-lock.json.
  • Security-related updates are prioritised and may be opened out of schedule.

GitHub Actions

  • Dependabot also monitors Actions used in .github/workflows/ for new releases.
  • This ensures the CI toolchain itself (e.g. actions/checkout, actions/setup-node) stays current and avoids known vulnerabilities in the workflow runners.

Handling Dependabot PRs

  • Each Dependabot PR includes a changelog summary and a compatibility score where available.
  • PRs must pass CI (including the npm audit step) before they can be merged.
  • Group related updates together where possible to reduce review overhead.
  • Review breaking-change version bumps (major versions) manually before merging.

Security Control Reference

  • Control ID: SEC-25
  • Category: Dependency Security
  • Files affected: .github/workflows/ci.yml, .github/dependabot.yml