π― pnpm-audit v3 (v3.1.0): A Thoughtful Step Forward in Open Source Security
As a developer who cares deeply about dependency security and CI/CD efficiency, Iβve always looked for tools that strike the right balance between simplicity and usefulness.
The pnpm-audit project by @JamesRobertWiseman does exactly that β and with version 3.1.0, it takes a big step forward, addressing community feedback without overcomplicating its mission.
ποΈ Three community requests turned into features
- Updated documentation and GitHub Action setup tips (Issue #2)
Community feedback highlighted the need for clearer documentation β examples, explanations of each parameter, and best practices for configuring pnpm-audit within GitHub Actions.
Version 3.1.0 now includes improved docs and practical setup guidance, making it easier than ever to integrate the audit step in modern CI/CD pipelines.
π A welcome enhancement for teams adopting the action for the first time.
(main Readme)
- Inline annotations in workflow logs (Issue #3)
Another great addition: the inline flag now enables inline audit findings directly in GitHubβs workflow logs using annotation syntax.
π This makes audit results visible where developers already work β the CI output.
Here is a quick overview of an inline result:
- Reduced noise having a single comment in pull requests (Issue #4)
No one likes PRs cluttered with repeated audit comments after every push.
The new single_comment option ensures only one comment is maintained and updated, and itβs automatically removed when all vulnerabilities are resolved.
π A small but powerful change that makes PRs much cleaner and easier to follow.
Here is a quick overview of a PR comment:
π Why v3 stands out
This release shows what makes pnpm-audit great:
Community-driven β user feedback quickly turned into real improvements.
Practical β every feature adds real value for day-to-day development.
Simple β easy to adopt, even easier to maintain.
Kudos to @JamesRobertWiseman for this thoughtful release β a great example of open source responsiveness done right.
𧩠Example GitHub Actions workflow
# continuous integration
name: main
# Controls when the action will run.
on:
push:
branches: [ main ]
pull_request:
# Allows you to run this workflow manually from the Actions tab
workflow_dispatch:
# A workflow run is made up of one or more jobs that can run sequentially or in parallel
jobs:
# This workflow contains a single job called "build"
build:
# The type of runner that the job will run on
runs-on: ubuntu-latest
strategy:
matrix:
# See supported Node.js release schedule at https://nodejs.org/en/about/releases/
node-version: [ 18.x ]
steps:
- name: Checkout code
uses: actions/checkout@v5
- name: Setup pnpm
uses: pnpm/action-setup@v4
with:
# version from package.json
run_install: false
- name: Setup Node.js ${{ matrix.node-version }}
uses: actions/setup-node@v5
with:
node-version: ${{ matrix.node-version }}
cache: 'pnpm'
- name: Install dependencies
run: |
echo ::group::Install dependencies
echo "install"
pnpm i --frozen-lockfile
echo ::endgroup::
- name: CHECK - pnpm audit and comment on PR
if: ${{ github.event.pull_request }}
uses: JamesRobertWiseman/pnpm-audit@v3
with:
github_token: ${{ secrets.GITHUB_TOKEN }}
level: moderate # 'low'|'moderate'|'high'|'critical'
fails: true # true to fail the build if vulnerabilities are found
single_comment: true # true to only post one comment
inline: true # true to emit audit findings directly in the workflow logs using GitHub annotation syntax
- name: Run tests
run: pnpm ci-test
- name: COVERAGE - Report coverage on pull request
if: github.event_name == 'pull_request'
continue-on-error: true
uses: andybelltree/lcov-reporter-action@v1.7.0 # https://github.com/andybelltree/lcov-reporter-action/releases
with:
lcov-file: ./coverage/lcov.info
filter-changed-files: true
JamesRobertWiseman/pnpm-audit@v3 step :
β
single_comment: true β keeps the PR clean
β
inline: true β annotations inside logs
β
fails: true β breaks the build on critical issues
β¨ Huge thanks to @JamesRobertWiseman for this outstanding update π
Top comments (0)