ci: add dependency vulnerability audit workflow

[Copilot]

Adds automated dependency vulnerability scanning using npm audit for both the main package and docs-site.

Changes

• New workflow .github/workflows/dependency-audit.yml that:

  • Runs on push/PR to main, weekly schedule, and manual dispatch
  • Audits main package and docs-site/ separately
  • Fails on high/critical severity vulnerabilities (--audit-level=high)
  • Uses SHA-pinned actions consistent with existing workflows

• Updated docs-site dependencies to resolve high-severity vulnerabilities:

  • Updated astro from ^4.16.12 to ^5.16.6
  • Updated @astrojs/starlight from ^0.28.4 to ^0.37.1
  • Pinned astro-mermaid to 1.1.0 (version 1.2.0 has a vulnerable @anthropic-ai/claude-code dependency)
  • Updated @astrojs/check, mermaid, and sharp to latest versions
  • Updated astro.config.mjs to use new social config array syntax (required by Starlight 0.33+)

Original prompt

add no dependency vulnerability checks to this repo

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

[github-actions]

Test Coverage Report

Metric	Coverage	Covered/Total
Lines	81.02%	1230/1518
Statements	80.98%	1261/1557
Functions	78.16%	136/174
Branches	72.56%	410/565

Coverage Thresholds

The project has the following coverage thresholds configured:

• Lines: 38%
• Statements: 38%
• Functions: 35%
• Branches: 30%

---

Coverage report generated by `npm run test:coverage`

[Copilot]

Pull request overview

This PR adds automated dependency vulnerability scanning to the repository using GitHub Actions. The workflow runs npm audit on both the main package and the docs-site package to identify security vulnerabilities in dependencies.

• Adds scheduled weekly vulnerability scans every Monday at 00:00 UTC
• Scans run on every push/PR to main, with manual trigger option available
• Workflow fails CI when high or critical severity vulnerabilities are detected

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Copilot reviewed 1 out of 1 changed files in this pull request and generated no new comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Mossaka]

Fix this pipeline failure in this PR:

Run npm audit --audit-level=high

npm audit report

astro <=5.15.8
Severity: high
Astro's X-Forwarded-Host is reflected without validation - GHSA-5ff5-9fcw-vg88
Astro vulnerable to URL manipulation via headers, leading to middleware and CVE-2025-61925 bypass - GHSA-hr2q-hp5q-x767
Astro vulnerable to reflected XSS via the server islands feature - GHSA-wrwg-2hg8-v723
Astro Development Server has Arbitrary Local File Read - GHSA-x3h8-62x9-952g
Astro Cloudflare adapter has Stored Cross-site Scripting vulnerability in /_image endpoint - GHSA-fvmw-cj7j-j39q
Astro's middleware authentication checks based on url.pathname can be bypassed via url encoded values - GHSA-ggxq-hp9w-j794
Astro has an Authentication Bypass via Double URL Encoding, a bypass for CVE-2025-64765 - GHSA-whqg-ppgf-wp8c
Depends on vulnerable versions of esbuild
Depends on vulnerable versions of vite
fix available via npm audit fix --force
Will install astro@5.16.6, which is a breaking change
node_modules/astro
@astrojs/mdx <=0.0.0-vercel-upgrade-20230905174957 || 1.0.0-beta.0 - 3.1.9
Depends on vulnerable versions of astro
node_modules/@astrojs/mdx
@astrojs/starlight <=0.29.3
Depends on vulnerable versions of @astrojs/mdx
Depends on vulnerable versions of astro
Depends on vulnerable versions of astro-expressive-code
node_modules/@astrojs/starlight
astro-expressive-code 0.8.0 - 0.36.1
Depends on vulnerable versions of astro
node_modules/astro-expressive-code

esbuild <=0.24.2
Severity: moderate
esbuild enables any website to send any requests to the development server and read the response - GHSA-67mh-4wv8-2f99
fix available via npm audit fix --force
Will install astro@5.16.6, which is a breaking change
node_modules/esbuild
vite 0.11.0 - 6.1.6
Depends on vulnerable versions of esbuild
node_modules/vite

6 vulnerabilities (5 moderate, 1 high)

To address all issues (including breaking changes), run:
npm audit fix --force
Error: Process completed with exit code 1.

@copilot

[Copilot]

Fix this pipeline failure in this PR:

Run npm audit --audit-level=high
...

Fixed in 36883a0. Updated docs-site dependencies to resolve vulnerabilities:

• Updated astro to ^5.16.6 and @astrojs/starlight to ^0.37.1
• Pinned astro-mermaid to 1.1.0 (1.2.0 introduced a vulnerable @anthropic-ai/claude-code dependency)
• Updated astro.config.mjs to use the new social config array syntax required by Starlight 0.33+
• Verified build passes and npm audit --audit-level=high returns no vulnerabilities

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• telemetry.astro.build
  • Triggering command: /usr/local/bin/node node /home/REDACTED/work/gh-aw-firewall/gh-aw-firewall/docs-site/node_modules/.bin/astro check (dns block)
  • Triggering command: /usr/local/bin/node node /home/REDACTED/work/gh-aw-firewall/gh-aw-firewall/docs-site/node_modules/.bin/astro build odules/esbuild/bin/esbuild o (dns block)
  • Triggering command: /usr/local/bin/node node /home/REDACTED/work/gh-aw-firewall/gh-aw-firewall/docs-site/node_modules/.bin/astro build (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)