Come together with the global Drupal community in Rotterdam, 28 Sept – 1 Oct 2026. Sessions, contribution, connection, and Early Bird savings until 8 June.Overview
CLI test (introduced #3525594: Publish CLI tool on npm) CI job is 100% failing since a few hours due to:
# npm audit report
astro 5.0.0-alpha.0 - 5.13.0
Severity: moderate
Astro allows unauthorized third-party images in _image endpoint - https://github.com/advisories/GHSA-xf8x-j4p2-f749
fix available via `npm audit fix`
node_modules/astro
1 moderate severity vulnerability
To address all issues, run:
npm audit fix
— https://git.drupalcode.org/project/experience_builder/-/jobs/6262159, for the nightly scheduled CI pipeline (https://git.drupalcode.org/project/experience_builder/-/pipelines/577174)
👆 this should not trigger a failing CI job, but at most a warning. (This particular vulnerability definitely doesn’t affect us — it’s Astro’s image optimization.)
Failure must mean "our code is broken", and an upstream vulnerability that might be relevant does not mean our code is broken.
Proposed resolution
Use https://docs.gitlab.com/ci/yaml/#allow_failureexit_codes
User interface changes
Issue fork experience_builder-3542182
Show commands
Start within a Git clone of the project using the version control instructions.
Or, if you do not have SSH keys set up on git.drupalcode.org:
changes
Comments
Comment #2
wim leersComment #4
wim leersFollow example in core added in #3422641: Add a "Validatable config" tests job to GitLab CI to help core evolve towards 100% validatability.
Comment #5
wim leersThat worked: https://git.drupalcode.org/project/experience_builder/-/jobs/6263349 → yellow exclamation (warning) instead of red cross (hard failure) on the CI job 👍
Going ahead and merging to unbreak CI: https://git.drupalcode.org/project/experience_builder/-/commits/1.x/
Comment #6
wim leersComment #7
wim leersComment #9
wim leers