DEV Community

Brice
Brice

Posted on

Node.js - Security Audit via Github Action to augment PR's

🎯 pnpm-audit v3 (v3.1.0): A Thoughtful Step Forward in Open Source Security

As a developer who cares deeply about dependency security and CI/CD efficiency, I’ve always looked for tools that strike the right balance between simplicity and usefulness.
The pnpm-audit project by @JamesRobertWiseman does exactly that β€” and with version 3.1.0, it takes a big step forward, addressing community feedback without overcomplicating its mission.

πŸ—οΈ Three community requests turned into features

  1. Updated documentation and GitHub Action setup tips (Issue #2)

Community feedback highlighted the need for clearer documentation β€” examples, explanations of each parameter, and best practices for configuring pnpm-audit within GitHub Actions.
Version 3.1.0 now includes improved docs and practical setup guidance, making it easier than ever to integrate the audit step in modern CI/CD pipelines.
πŸ‘‰ A welcome enhancement for teams adopting the action for the first time.

(main Readme)

  1. Inline annotations in workflow logs (Issue #3)

Another great addition: the inline flag now enables inline audit findings directly in GitHub’s workflow logs using annotation syntax.
πŸ‘‰ This makes audit results visible where developers already work β€” the CI output.

Here is a quick overview of an inline result:

  1. Reduced noise having a single comment in pull requests (Issue #4)

No one likes PRs cluttered with repeated audit comments after every push.
The new single_comment option ensures only one comment is maintained and updated, and it’s automatically removed when all vulnerabilities are resolved.
πŸ‘‰ A small but powerful change that makes PRs much cleaner and easier to follow.

Here is a quick overview of a PR comment:

πŸš€ Why v3 stands out

This release shows what makes pnpm-audit great:

  • Community-driven β€” user feedback quickly turned into real improvements.

  • Practical β€” every feature adds real value for day-to-day development.

  • Simple β€” easy to adopt, even easier to maintain.

Kudos to @JamesRobertWiseman for this thoughtful release β€” a great example of open source responsiveness done right.

🧩 Example GitHub Actions workflow

# continuous integration
name: main

# Controls when the action will run. 
on:
  push:
    branches: [ main ]
  pull_request:
  # Allows you to run this workflow manually from the Actions tab
  workflow_dispatch:

# A workflow run is made up of one or more jobs that can run sequentially or in parallel
jobs:
  # This workflow contains a single job called "build"
  build:
    # The type of runner that the job will run on
    runs-on: ubuntu-latest

    strategy:
      matrix:
        # See supported Node.js release schedule at https://nodejs.org/en/about/releases/
        node-version: [ 18.x ]

    steps:
      - name: Checkout code
        uses: actions/checkout@v5

      - name: Setup pnpm
        uses: pnpm/action-setup@v4
        with:
          # version from package.json
          run_install: false

      - name: Setup Node.js ${{ matrix.node-version }}
        uses: actions/setup-node@v5
        with:
          node-version: ${{ matrix.node-version }}
          cache: 'pnpm'

      - name: Install dependencies
        run: |
          echo ::group::Install dependencies
          echo "install"
          pnpm i --frozen-lockfile
          echo ::endgroup::

      - name: CHECK - pnpm audit and comment on PR
        if: ${{ github.event.pull_request }}
        uses: JamesRobertWiseman/pnpm-audit@v3
        with:
          github_token: ${{ secrets.GITHUB_TOKEN }}
          level: moderate   # 'low'|'moderate'|'high'|'critical'
          fails: true # true to fail the build if vulnerabilities are found
          single_comment: true # true to only post one comment
          inline: true # true to emit audit findings directly in the workflow logs using GitHub annotation syntax

      - name: Run tests
        run: pnpm ci-test

      - name: COVERAGE - Report coverage on pull request
        if: github.event_name == 'pull_request'
        continue-on-error: true
        uses: andybelltree/lcov-reporter-action@v1.7.0 # https://github.com/andybelltree/lcov-reporter-action/releases
        with:
          lcov-file: ./coverage/lcov.info
          filter-changed-files: true
Enter fullscreen mode Exit fullscreen mode

JamesRobertWiseman/pnpm-audit@v3 step :
βœ… single_comment: true β†’ keeps the PR clean
βœ… inline: true β†’ annotations inside logs
βœ… fails: true β†’ breaks the build on critical issues

✨ Huge thanks to @JamesRobertWiseman for this outstanding update πŸ™Œ

Top comments (0)