DEV Community: Brice

Node.js - Security Audit via Github Action to augment PR's

Brice — Thu, 09 Oct 2025 09:09:19 +0000

🎯 pnpm-audit v3 (v3.1.0): A Thoughtful Step Forward in Open Source Security

As a developer who cares deeply about dependency security and CI/CD efficiency, I’ve always looked for tools that strike the right balance between simplicity and usefulness.
The pnpm-audit project by @JamesRobertWiseman does exactly that — and with version 3.1.0, it takes a big step forward, addressing community feedback without overcomplicating its mission.

🏗️ Three community requests turned into features

Updated documentation and GitHub Action setup tips (Issue #2)

Community feedback highlighted the need for clearer documentation — examples, explanations of each parameter, and best practices for configuring pnpm-audit within GitHub Actions.
Version 3.1.0 now includes improved docs and practical setup guidance, making it easier than ever to integrate the audit step in modern CI/CD pipelines.
👉 A welcome enhancement for teams adopting the action for the first time.

(main Readme)

Inline annotations in workflow logs (Issue #3)

Another great addition: the inline flag now enables inline audit findings directly in GitHub’s workflow logs using annotation syntax.
👉 This makes audit results visible where developers already work — the CI output.

Here is a quick overview of an inline result:

Reduced noise having a single comment in pull requests (Issue #4)

No one likes PRs cluttered with repeated audit comments after every push.
The new single_comment option ensures only one comment is maintained and updated, and it’s automatically removed when all vulnerabilities are resolved.
👉 A small but powerful change that makes PRs much cleaner and easier to follow.

Here is a quick overview of a PR comment:

🚀 Why v3 stands out

This release shows what makes pnpm-audit great:

Community-driven — user feedback quickly turned into real improvements.
Practical — every feature adds real value for day-to-day development.
Simple — easy to adopt, even easier to maintain.

Kudos to @JamesRobertWiseman for this thoughtful release — a great example of open source responsiveness done right.

🧩 Example GitHub Actions workflow

# continuous integration
name: main

# Controls when the action will run. 
on:
  push:
    branches: [ main ]
  pull_request:
  # Allows you to run this workflow manually from the Actions tab
  workflow_dispatch:

# A workflow run is made up of one or more jobs that can run sequentially or in parallel
jobs:
  # This workflow contains a single job called "build"
  build:
    # The type of runner that the job will run on
    runs-on: ubuntu-latest

    strategy:
      matrix:
        # See supported Node.js release schedule at https://nodejs.org/en/about/releases/
        node-version: [ 18.x ]

    steps:
      - name: Checkout code
        uses: actions/checkout@v5

      - name: Setup pnpm
        uses: pnpm/action-setup@v4
        with:
          # version from package.json
          run_install: false

      - name: Setup Node.js ${{ matrix.node-version }}
        uses: actions/setup-node@v5
        with:
          node-version: ${{ matrix.node-version }}
          cache: 'pnpm'

      - name: Install dependencies
        run: |
          echo ::group::Install dependencies
          echo "install"
          pnpm i --frozen-lockfile
          echo ::endgroup::

      - name: CHECK - pnpm audit and comment on PR
        if: ${{ github.event.pull_request }}
        uses: JamesRobertWiseman/pnpm-audit@v3
        with:
          github_token: ${{ secrets.GITHUB_TOKEN }}
          level: moderate   # 'low'|'moderate'|'high'|'critical'
          fails: true # true to fail the build if vulnerabilities are found
          single_comment: true # true to only post one comment
          inline: true # true to emit audit findings directly in the workflow logs using GitHub annotation syntax

      - name: Run tests
        run: pnpm ci-test

      - name: COVERAGE - Report coverage on pull request
        if: github.event_name == 'pull_request'
        continue-on-error: true
        uses: andybelltree/lcov-reporter-action@v1.7.0 # https://github.com/andybelltree/lcov-reporter-action/releases
        with:
          lcov-file: ./coverage/lcov.info
          filter-changed-files: true

JamesRobertWiseman/pnpm-audit@v3 step :
✅ single_comment: true → keeps the PR clean
✅ inline: true → annotations inside logs
✅ fails: true → breaks the build on critical issues

✨ Huge thanks to @JamesRobertWiseman for this outstanding update 🙌

🛠️ Hacktoberfest 2025 — 17 Pull Requests in One Day, for the Love of Clean Code 😅🤖🧠

Brice — Sun, 05 Oct 2025 22:15:24 +0000

Experience report from Boly38 on an intense open source contribution day: 17 PRs focused on security, CI/CD, and code sustainability.

🛠️ Hacktoberfest 2025 — 17 Pull Requests in One Day, for the Love of Clean Code

Published by @boly38 — October 5, 2025

🌍 Introduction

Every October, Hacktoberfest inspires thousands of developers to give back to open source.

This year, I decided to dedicate an entire day to improving the quality and security of the projects I maintain or contribute to.

The result?

👉 17 Pull Requests opened or under review across 5 repositories, all focused on maintenance, modernization, and automation.

🔒 The Day’s Goal: Make Code Safer and More Sustainable

Instead of adding new features, my focus was to:

fix npm security alerts (audit fix),
repair and clean up CI workflows,
migrate to modern tools (pnpm, Node 18),
and automate releases using gh (GitHub CLI).

These aren’t flashy changes, but they make projects stronger and more reliable for every contributor.

⚙️ The Contributions in Detail

🧩 `creharmony/node-etsy-client`

🧾 Update README — updated workflow name (#72)
🧪 Fix audit & tests — updated dependencies (#71)
🚀 gh release + improved contribution doc (#70)
🧱 Migrated Node 16 → 18 (#68)

🧩 `boly38/drobadi`

🔁 npm → pnpm + ESLint fixes (#67)
🧭 Immutable release + gh create release doc (#66)
🧪 Bump chai@latest (#64)
🩹 Audit fix: multiple dependencies (#63, #61, #57)

🧩 `DatavenueLiveObjects/Start-here-nodeJS`

🧱 Audit fix + log4js/mqtt updates (#35)
⚙️ Re-established audit job (#31)
🚀 Added release workflow (#29)

🧩 `boly38/action-umami-report`

🧩 Fix audit on main push (#103)
🧩 Add vulnerability scan to PRs (#101)

🧩 `boly38/botEnSky`

🌐 Make app Nixpacks/Coolify compatible (#152)
⚙️ Switch npm → pnpm (#151)
🚀 Immutable release + GitHub CLI integration (#149)

📊 Technical Summary

Category	Count	%
Security / audits	7	~41%
CI/CD / workflows	5	~29%
Automation & release	3	~18%
Performance / migration	2	~12%

🧮 17 PRs across 5 repositories, with 16 validated for Hacktoberfest.

💬 Key Takeaways

Open source isn’t only about new features — it’s also about keeping code healthy.
Automating workflows frees up time for innovation.
Every audit fix is a small, invisible but essential win.

And above all: contribution doesn’t have to be flashy to be valuable.

🪴 Bonus: Hacktoberfest, Holopin & Treenation

As always, Hacktoberfest rewards contributors with Holopin badges and a Treenation tree 🌳 for every 6th accepted PR.

A small symbolic gesture that makes every commit a little greener 💚.

❤️ Conclusion

One day, 17 PRs, and a huge sense of satisfaction:

seeing the builds green again, audits clean, and dependencies up to date.

If you want to join in, there’s still time this October!

➡️ hacktoberfest.com

👤 About Me

I’m Boly38, an open-source developer passionate about code reliability, CI/CD workflows, and the Node.js ecosystem.

⚙️ github.com/boly38

💬 Come say hi on BlueSky

PS: I didn’t actually write a single line of this post — ChatGPT generated the summary based on a simple copy/paste from my Hacktoberfest profile 😎🤖

Quickstart howto post on Facebook using API

Brice — Sat, 28 Oct 2023 19:05:42 +0000

In addition to my Hactkoberfest contribution,

I just created a quickstart for user who wants to use Facebook API to post on a page:

get page info
post on a page
get long-lived access token

cf. https://github.com/boly38/testFB

this project gives you the basis curl commands.

Thanks to dev.to previous contributions that give me some inputs !

My contribution to #Hacktoberfest2023 😜🥳

Brice — Mon, 23 Oct 2023 11:28:46 +0000

Intro

I'm github fan ✨ and sometime participate to #Hacktoberfest when I've some free time. That's a good opportunity to make some PR to public projects too !

New release done for #Hacktoberfest2023 🥳

http://github.com/boly38/node-mongotools v 2.2.0 is out

Just a reminder : this is NodeJS wrapper for mongodump and mongorestore plus dropbox and rotation features.

I remove some dropbox indirect dependency to avoid request vulnerability (cf #72 ).

http://github.com/boly38/drobadi v1.0.0 is out

Just a reminder : "Drobadi : Dropbox backup directory" is NodeJS very-small dropbox wrapper to zip and upload to dropbox a given directory. You could also list/get backup.

I remove some dropbox indirect dependency to avoid request vulnerability (cf #33 ). And do some clean code to publish first major

Hourly monitor app'errors from Graylog to Slack

Brice — Mon, 08 Mar 2021 21:25:53 +0000

Hi,

I'm using Graylog to store applicative logs.

On error (level:3), app will send an entry to graylog too.

const graylog2 = require('graylog2');

const logger = new graylog2.graylog({
  servers: [{ 'host': '127.0.0.1', port: 12201 }]
});

// (...)

logger.error(msg)

By adding a little cron job shell script, I'm able to collect every hour the last error logs from graylog, then send them to Slack.

This way I'm able to react to applicative issue.

Here is graylogMonitoring.sh:

#!/bin/bash
# tools: apt-get install jq curl
# external secret requirements:
## export GRAY_AUTH=admin:mypassword
## export SLACK_WEBHOOK_ENDPOINT=https://hooks.slack.com/services/JUST/UPDATE/THIS

# to handle exclamation in password 
set +H

# send a slack message if webhook is set
  function slackNotification() {
    # markdown formatting : https://api.slack.com/reference/surfaces/formatting
    SLACK_TEXT_MSG="${1:-Something from logs is important}"
    if [ -z ${SLACK_WEBHOOK_ENDPOINT+x} ]; then
      echo "${SLACK_TEXT_MSG}"
    else
      curl -X POST --data "{\"type\": \"mrkdwn\",\"text\": \"${SLACK_TEXT_MSG}\"}" ${SLACK_WEBHOOK_ENDPOINT} || echo "unable to slack notify"
    fi
  }

# exit if there is no Graylog auth
if [ -z ${GRAY_AUTH+x} ]; then
  exit 0;
fi

# QUERY="*"
# url encoded query "level:3"
QUERY="level%3A3"
# level:3
# Full Graylog API call
GRAY_QUERY="http://localhost:9000/api/search/universal/relative?query=$QUERY&range=3600&fields=message&limit=100&sort=timestamp:desc"

curl --silent -u $GRAY_AUTH \
  -H "X-Requested-By: cli" \
  -H "Accept: application/json" \
  -H "Content-Type: application/json" \
  ${GRAY_QUERY} -o LAST_WARN.json

# use jq to extract message from Graylog json response
cat LAST_WARN.json  |jq --raw-output '.messages[].message | (.timestamp + " | " +  .gl2_remote_ip + " | " + .message) ' > LAST_WARN.log

# send them to slack if result file is not empty
if [ -s "LAST_WARN.log" ]
then
  SLACK_MSG="Log warn sur la période : \n\`\`\`$(cat LAST_WARN.log | tr -d '"')\`\`\`"
  slackNotification "$SLACK_MSG"
fi

About script trigger: if you want to be more flexible than linux host cron job which require you to ssh login, edit crontab, ..

then you could map this script to a dedicated webhook via node-hook-action.

Having nodejs on you server,

install node-hook-action

npm install node-hook-action

create a webhookServer.js:

const server = require('node-hook-action');
server();

create a webhook server config.json

{
  "server_config": {
    "host": "0.0.0.0",
    "port": 1502,
    "path": "/webhook",
    "secret": {
      "custom": thisIsASecret
    },
    "directories": {
      "logs": "logs"
    }
  },
  "actions": [
    {
      "headers": {
        "x-action":"logs"
      },
      "events": [
        {
          "event": "custom",
          "action": "bash /var/www/webhooks/graylogMonitoring.sh"
        }
      ]
    }
  ]
}

start your webhook server using pm2

pm2 start node --name "webhook" -o /tmp/webhook.log -e /tmp/webhook-errors.log --time -- webhookServer.js

Update you reverse proxy (ex. nginx) to make an available webhook endpoint.

Here is an extract of nginx.conf:

location /webhook {
    proxy_pass http://0.0.0.0:1502;
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection 'upgrade';
    proxy_cache_bypass $http_upgrade;

    proxy_set_header Host $host;
    proxy_set_header   X-Real-IP          $remote_addr;
    proxy_set_header   X-Forwarded-Proto  $scheme;
    proxy_set_header   X-Forwarded-For    $proxy_add_x_forwarded_for;
}

Go to the free cronjob service to plan your webhook at regular interval:

And you're done !

Keep an eye on your Slack channel