Overview

After #3562026: Consolidate JS workspaces, ESLint, and TypeScript config the npm audit run in the CLI Test CI job can now report vulnerabilities for dependencies of all packages in the monorepo, but the current CI job suggests it is relevant only to the CLI package.

Plus, it currently runs on every commit, which causes noisy CI output:

It should be run whenever the files it tests change, plus nightly. Just like e.g. the phpstan-is-up-to-date and phpcs-rules-match-drupal CI jobs: running all of those on every commit is just unnecessary noise.

Proposed resolution

Extract npm audit from CLI Test to a dedicated job (with allow_failure: true) to make it clear its results can be relevant for all packages in the monorepo.

CommentFileSizeAuthor
#8 Screenshot 2026-05-21 at 2.28.39 PM.png837.32 KBwim leers

Issue fork canvas-3571806

Command icon Show commands

Start within a Git clone of the project using the version control instructions.

Or, if you do not have SSH keys set up on git.drupalcode.org:

About issue forks

Comments

wotnak created an issue. See original summary.

shubham.prakash made their first commit to this issue’s fork.

shubham.prakash opened merge request !1080

wim leers made their first commit to this issue’s fork.

wim leers’s picture

wim leers
Location Ghent 🇧🇪🇪🇺
commented
Status: Active » Needs review
Issue tags: +DX (Developer Experience)
Related issues: +#3562026: Consolidate JS workspaces, ESLint, and TypeScript config

Now that we're out of the most painful era of Canvas CI flakiness, this is now one of the top things responsible for CI noise. What a good problem to have 😊

ui/package-lock.json obsolete?

I was addressing https://git.drupalcode.org/project/canvas/-/merge_requests/1080/diffs#no... and in doing so I got confused by ui/package-lock.json.

#3588801: Update JS packages last updated our JS packages. But it did not touch ui/package-lock.json. I'm by no means fluent in npm tooling, but it's suspicious that that file has not been updated in 4 months 😅

Is it possible that #3562026: Consolidate JS workspaces, ESLint, and TypeScript config should have deleted ui/package-lock.json?

wim leers’s picture

wim leers
Location Ghent 🇧🇪🇪🇺
commented
Title: CI: Extract npm audit from CLI Test » CI: Extract `npm audit` job from the `CLI Test` job
Assigned: Unassigned » justafish
wotnak’s picture

wotnak
he/him
commented

ui/package-lock.json is no longer used, and it was deleted in #3562026: Consolidate JS workspaces, ESLint, and TypeScript config.
It looks like it was accidentally added back in https://git.drupalcode.org/project/canvas/-/commit/29cdd8ceab5897420eb7d.... Should be safe to delete it again, the current setup with npm workspaces uses a single package-lock.json in the project root.

wim leers’s picture

wim leers
Location Ghent 🇧🇪🇪🇺
commented
Title: CI: Extract `npm audit` job from the `CLI Test` job » CI: Extract `npm audit` job from the `CLI Test` job, and don't run it for every commit
Issue summary: View changes
StatusFileSize
new Screenshot 2026-05-21 at 2.28.39 PM.png837.32 KB

Illustrating the CI noise.

justafish’s picture

justafish
she/her
Primary language English
Location London, UK
commented
Status: Needs review » Needs work