Merge pull request #769 from govuk-one-login/bau-npm-audit

saralk · web-flow · commit 6683a2ad2a74 · 2026-05-11T09:47:05.000Z
BAU remove audit npm hook, add dependency review action
diff --git a/.github/workflows/dependency-review.yaml b/.github/workflows/dependency-review.yaml
@@ -0,0 +1,20 @@
+name: "Dependency Review"
+on:
+  pull_request:
+  merge_group:
+
+permissions:
+  contents: read
+
+jobs:
+  dependency-review:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout Repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          - persist-credentials: false
+      - name: Dependency Review
+        uses: actions/dependency-review-action@2031cfc080254a8a887f58cffee85186f0e49e48 # v4.9.0
+        with:
+          - fail-on-severity: moderate
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -25,17 +25,6 @@ repos:
         args: ["--baseline", ".secrets.baseline"]
         stages: [pre-commit]
 
-  - repo: local
-    hooks:
-      - id: package-audit-check
-        name: Check dependencies
-        entry: npm run audit
-        language: system
-        exclude: .*
-        always_run: true
-        pass_filenames: false
-        stages: [pre-commit]
-
   - repo: local
     hooks:
       - id: check-types
diff --git a/package.json b/package.json
@@ -119,6 +119,6 @@
     "run:all": "bash solutions/localstack/provision.sh && RUN_ALL=1 concurrently 'npm run run:frontend' 'npm run run:stubs' 'npm run run:api' 'npm run watch:config-schema' --kill-others",
     "config:validate": "for f in solutions/config/*.json; do (jsonschema validate solutions/config/schema/config.json $f) || exit 1; done",
     "api-specs:validate": "redocly lint solutions/**/open-api-spec.yaml",
-    "audit": "npm audit --audit-level=moderate && npm audit signatures && cd solutions/integration-tests && npm run audit"
+    "audit": "npm audit --audit-level=moderate --omit=dev && npm audit signatures && cd solutions/integration-tests && npm run audit"
   }
 }
diff --git a/solutions/integration-tests/package.json b/solutions/integration-tests/package.json
@@ -16,7 +16,7 @@
     "test:ui": "npm ci && run-p test:ui:*",
     "test:ui:watch": "npm run watch",
     "test:ui:run": "playwright test --ui",
-    "audit": "npm audit --audit-level=moderate && npm audit signatures"
+    "audit": "npm audit --audit-level=moderate --omit=dev && npm audit signatures"
   },
   "devDependencies": {
     "@aws-lambda-powertools/parameters": "^2.33.0",

Original file line number	Diff line number	Diff line change
`@@ -119,6 +119,6 @@`
`119`	`119`	`"run:all": "bash solutions/localstack/provision.sh && RUN_ALL=1 concurrently 'npm run run:frontend' 'npm run run:stubs' 'npm run run:api' 'npm run watch:config-schema' --kill-others",`
`120`	`120`	`"config:validate": "for f in solutions/config/*.json; do (jsonschema validate solutions/config/schema/config.json $f) \|\| exit 1; done",`
`121`	`121`	`"api-specs:validate": "redocly lint solutions/**/open-api-spec.yaml",`
`122`		`- "audit": "npm audit --audit-level=moderate && npm audit signatures && cd solutions/integration-tests && npm run audit"`
	`122`	`+ "audit": "npm audit --audit-level=moderate --omit=dev && npm audit signatures && cd solutions/integration-tests && npm run audit"`
`123`	`123`	`}`
`124`	`124`	`}`