rinafcode · ZuLu0890 · Jun 24, 2026
diff --git a/.github/workflows/dependency-vulnerability-scan.yml b/.github/workflows/dependency-vulnerability-scan.yml
@@ -0,0 +1,108 @@
+name: Dependency Vulnerability Scan
+
+on:
+  push:
+    branches:
+      - main
+      - develop
+  pull_request:
+  schedule:
+    # Run every Monday at 08:00 UTC
+    - cron: "0 8 * * 1"
+  workflow_dispatch:
+
+jobs:
+  audit:
+    name: Audit & Auto-update Dependencies
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Setup pnpm
+        uses: pnpm/action-setup@v4
+        with:
+          version: 11
+
+      - name: Setup Node
+        uses: actions/setup-node@v4
+        with:
+          node-version: 22
+          cache: pnpm
+
+      - name: Install dependencies
+        run: pnpm install --frozen-lockfile
+
+      - name: Run vulnerability audit
+        run: pnpm run audit:scan
+        continue-on-error: false
+
+      - name: Upload audit report
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: audit-report
+          path: audit-report.json
+          retention-days: 30
+
+  auto-update:
+    name: Auto-update Dependencies (scheduled)
+    runs-on: ubuntu-latest
+    # Only run on schedule or manual trigger, not on PRs
+    if: github.event_name == 'schedule' || github.event_name == 'workflow_dispatch'
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Setup pnpm
+        uses: pnpm/action-setup@v4
+        with:
+          version: 11
+
+      - name: Setup Node
+        uses: actions/setup-node@v4
+        with:
+          node-version: 22
+          cache: pnpm
+
+      - name: Install dependencies
+        run: pnpm install --frozen-lockfile
+
+      - name: Apply non-breaking security patches
+        run: pnpm run audit:fix
+        continue-on-error: true
+
+      - name: Check for changes
+        id: changes
+        run: |
+          if git diff --quiet; then
+            echo "changed=false" >> "$GITHUB_OUTPUT"
+          else
+            echo "changed=true" >> "$GITHUB_OUTPUT"
+          fi
+
+      - name: Open PR with security patches
+        if: steps.changes.outputs.changed == 'true'
+        uses: peter-evans/create-pull-request@v6
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          commit-message: "chore(deps): apply security patches"
+          branch: chore/auto-security-patches
+          title: "chore(deps): automated security dependency updates"
+          body: |
+            This PR was automatically generated by the Dependency Vulnerability Scan workflow.
+
+            **What changed:** Non-breaking security patches were applied via `pnpm audit --fix`.
+
+            **Review checklist:**
+            - [ ] Verify updated packages in `pnpm-lock.yaml`
+            - [ ] Confirm tests still pass
+            - [ ] Check for any breaking changes in updated packages
+          labels: |
+            dependencies
+            security
+          draft: false
diff --git a/package.json b/package.json
@@ -55,7 +55,8 @@
     "sdk:generate:python": "openapi-generator-cli generate -i openapi-spec.json -g python -o sdk/python",
     "sdk:generate": "npm run sdk:generate:spec && npm run sdk:generate:ts && npm run sdk:generate:python",
     "audit": "npm audit --audit-level=high",
-    "audit:fix": "npm audit fix",
+    "audit:scan": "pnpm audit --audit-level=high --json > audit-report.json || (cat audit-report.json && exit 1)",
+    "audit:fix": "pnpm audit --fix",
     "deps:update": "npx npm-check-updates -u '/.*/' && npm install",
     "load:test:health": "k6 run tests/load/scenarios/health.scenario.ts",
     "load:test:auth": "k6 run tests/load/scenarios/auth.scenario.ts",
@@ -212,10 +213,6 @@
   },
   "engines": {
     "node": ">=18.0.0",
-    "npm": ">=9.0.0",
-    "demo:event": "node scripts/demo-event.js",
-    "demo:ab": "node scripts/demo-ab.js",
-    "demo:autocomplete": "node scripts/demo-autocomplete.js",
-    "demo:subscription": "node scripts/demo-subscription.js"
+    "npm": ">=9.0.0"
   }
 }
diff --git a/src/auth/auth.service.ts b/src/auth/auth.service.ts
@@ -83,9 +83,9 @@ export class AuthService {
       const tokens = await this.generateTokens(user);
       await this.updateRefreshTokenHash(user.id, tokens.refreshToken);
       return tokens;
-    } catch (e) {
-      if (e instanceof UnauthorizedException) {
-        throw e;
+    } catch (_e) {
+      if (_e instanceof UnauthorizedException) {
+        throw _e;
       }
       throw new UnauthorizedException('Invalid or expired refresh token');
     }

diff --git a/src/security/dependency-vulnerability-scan.spec.ts b/src/security/dependency-vulnerability-scan.spec.ts
@@ -0,0 +1,120 @@
+import * as fs from 'fs';
+import * as path from 'path';
+
+const ROOT = path.resolve(__dirname, '../..');
+
+describe('Dependency Vulnerability Scan Configuration', () => {
+  describe('package.json scripts', () => {
+    let scripts: Record<string, string>;
+
+    beforeAll(() => {
+      const pkg = JSON.parse(fs.readFileSync(path.join(ROOT, 'package.json'), 'utf8')) as {
+        scripts: Record<string, string>;
+        engines: Record<string, string>;
+      };
+      scripts = pkg.scripts;
+    });
+
+    it('defines audit:scan script', () => {
+      expect(scripts['audit:scan']).toBeDefined();
+      expect(typeof scripts['audit:scan']).toBe('string');
+    });
+
+    it('audit:scan script references pnpm audit', () => {
+      expect(scripts['audit:scan']).toContain('pnpm audit');
+    });
+
+    it('audit:scan script enforces high severity level', () => {
+      expect(scripts['audit:scan']).toContain('--audit-level=high');
+    });
+
+    it('defines audit:fix script', () => {
+      expect(scripts['audit:fix']).toBeDefined();
+      expect(typeof scripts['audit:fix']).toBe('string');
+    });
+
+    it('audit:fix script references pnpm audit --fix', () => {
+      expect(scripts['audit:fix']).toContain('pnpm audit');
+      expect(scripts['audit:fix']).toContain('--fix');
+    });
+  });
+
+  describe('package.json engines', () => {
+    it('engines block is valid (no misplaced script entries)', () => {
+      const pkg = JSON.parse(fs.readFileSync(path.join(ROOT, 'package.json'), 'utf8')) as {
+        engines: Record<string, string>;
+      };
+      const invalidKeys = Object.keys(pkg.engines).filter((k) => k.includes(':'));
+      expect(invalidKeys).toHaveLength(0);
+    });
+  });
+
+  describe('dependency-vulnerability-scan.yml workflow', () => {
+    const workflowPath = path.join(
+      ROOT,
+      '.github',
+      'workflows',
+      'dependency-vulnerability-scan.yml',
+    );
+    let content: string;
+
+    beforeAll(() => {
+      content = fs.readFileSync(workflowPath, 'utf8');
+    });
+
+    it('workflow file exists', () => {
+      expect(fs.existsSync(workflowPath)).toBe(true);
+    });
+
+    it('workflow runs on pull_request events', () => {
+      expect(content).toContain('pull_request');
+    });
+
+    it('workflow runs on push to main', () => {
+      expect(content).toContain('main');
+    });
+
+    it('workflow runs on a schedule', () => {
+      expect(content).toContain('schedule');
+      expect(content).toContain('cron');
+    });
+
+    it('workflow supports manual dispatch', () => {
+      expect(content).toContain('workflow_dispatch');
+    });
+
+    it('workflow has an audit job', () => {
+      expect(content).toContain('audit:');
+    });
+
+    it('workflow invokes the audit:scan script', () => {
+      expect(content).toContain('audit:scan');
+    });
+
+    it('workflow has an auto-update job', () => {
+      expect(content).toContain('auto-update:');
+    });
+
+    it('workflow invokes the audit:fix script', () => {
+      expect(content).toContain('audit:fix');
+    });
+
+    it('workflow uses actions/checkout@v4', () => {
+      expect(content).toContain('actions/checkout@v4');
+    });
+
+    it('workflow uses pnpm/action-setup@v4', () => {
+      expect(content).toContain('pnpm/action-setup@v4');
+    });
+
+    it('auto-update job only runs on schedule or workflow_dispatch', () => {
+      expect(content).toContain("github.event_name == 'schedule'");
+      expect(content).toContain("github.event_name == 'workflow_dispatch'");
+    });
+
+    it('workflow uploads audit report as artifact', () => {
+      expect(content).toContain('audit-report');
+      expect(content).toContain('upload-artifact');
+    });
+  });
+});