feat: add comprehensive NPM security management workflow #4027
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
## NPM Audit Fix with TypeScript Auto-Repair - Automated security vulnerability detection and fixes for hashFiles dependencies - Intelligent TypeScript compatibility auto-repair after npm updates - Graduated response strategy for different vulnerability severities - Weekly schedule (Mondays at 7 AM) plus manual triggers ## Key Features - ✅ **Security-focused**: Only creates PRs when moderate+ vulnerabilities found - ✅ **TypeScript auto-repair**: Fixes @types/node compatibility issues automatically - ✅ **Multi-step recovery**: Clean reinstall, dependency resolution, build verification - ✅ **Graduated response**: force-fix for critical/high vulnerabilities only - ✅ **Build validation**: Ensures code compiles after automated fixes - ✅ **Enhanced PR details**: Shows audit status, fixes applied, build status ## Security Enhancements - ✅ **Proper error handling**: No vulnerability masking with '|| true' - ✅ **Transparent reporting**: Clear distinction between success/partial/failed states - ✅ **Audit level checking**: moderate, high, critical severity handling - ✅ **Force-fix safety**: Only for critical/high vulnerabilities ## Dependencies - **Requires**: Labels from actions#4024 (dependency, security, typescript, needs-manual-review) - **Integrates with**: Monitoring from actions#4025 - **Complements**: Node version management from actions#4026 This workflow ensures npm dependencies stay secure while maintaining TypeScript compatibility and build stability.
salmanmkc
added a commit
to salmanmkc/runner
that referenced
this pull request
Sep 9, 2025
## .NET Core/SDK Automated Upgrade Management - Weekly automated checking for new .NET Core/SDK releases - Intelligent global.json and project file updates with compatibility validation - Multi-version support with build verification across all .NET projects ## Key Features - ✅ **Multi-source monitoring**: Official releases API + package manager updates - ✅ **Smart compatibility**: Preserves project compatibility while upgrading dependencies - ✅ **Build validation**: Full solution build verification after .NET updates - ✅ **Version pinning**: Updates global.json SDK version with compatibility checks - ✅ **Package updates**: NuGet package upgrades with conflict resolution ## Update Strategy - **Weekly schedule**: Mondays at 8 AM for consistent .NET maintenance - **Manual triggers**: On-demand updates for critical security releases - **Graduated response**: Different handling for LTS vs current releases - **Rollback safety**: Build failures prevent PR creation ## Integration Benefits - **Release compatibility**: Ensures runner builds with latest .NET versions - **Security updates**: Automated security patch integration - **Build stability**: Validates compatibility before suggesting changes - **Development workflow**: Reduces manual .NET maintenance overhead ## Dependencies - **Requires**: Labels from actions#4024 (dependency, needs-manual-review) - **Integrates with**: Overall monitoring from actions#4025 - **Complements**: NPM security management from actions#4027 This workflow ensures .NET dependencies stay current and secure while maintaining build compatibility for the monthly runner release cycle.
Contributor
There was a problem hiding this comment.
Pull Request Overview
This PR introduces an automated NPM security vulnerability detection and fixing workflow with intelligent TypeScript compatibility handling. The workflow runs weekly to scan for moderate+ security vulnerabilities and automatically attempts to fix them while maintaining build stability.
Key Changes:
- Automated security scanning with graduated response strategy (moderate → critical/high vulnerability handling)
- TypeScript auto-repair system to handle compatibility issues after npm updates
- Multi-step recovery process with clean reinstall and dependency resolution
- Enhanced PR creation with detailed status reporting and appropriate labeling
This was referenced Sep 9, 2025
TingluoHuang
reviewed
Sep 9, 2025
TingluoHuang
reviewed
Sep 9, 2025
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
TingluoHuang
reviewed
Sep 9, 2025
TingluoHuang
approved these changes
Sep 11, 2025
fmartinez255
pushed a commit
to TiVo/actions-runner
that referenced
this pull request
Oct 14, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
🔒 NPM Security Management with TypeScript Auto-Repair
This PR introduces a comprehensive workflow for automated NPM security vulnerability detection and fixes, with TypeScript compatibility handling.
🎯 Problem Solved
Current dependency management lacks automated NPM security vulnerability fixes and TypeScript compatibility maintenance.
�� Solution Overview
Weekly automated security scanning with graduated response strategy:
🔧 Key Features
--forcefor critical/high vulnerabilities🏗️ Workflow Integration
dependency,security,typescript,needs-manual-review)📋 Testing Validated
🔄 Monthly Release Integration
This workflow supports the monthly runner release process by ensuring NPM dependencies stay secure between releases while maintaining build stability.
Part of Actions Runner dependency management enhancement series: