Skip to content

ci(root): skip broken yarn audit step in release workflows#9262

Merged
roshan-bitgo merged 1 commit into
masterfrom
fix/audit-continue-on-error
Jul 15, 2026
Merged

ci(root): skip broken yarn audit step in release workflows#9262
roshan-bitgo merged 1 commit into
masterfrom
fix/audit-continue-on-error

Conversation

@roshan-bitgo

@roshan-bitgo roshan-bitgo commented Jul 15, 2026

Copy link
Copy Markdown
Contributor

Summary

yarn audit permanently broken as of 2026-07-15 — npm retired the legacy security audits endpoint (/-/npm/v1/security/audits) with HTTP 410. Both publish.yml and npmjs-release.yml fail at the Audit Dependencies step. The yarn team closed the fix as "not planned" — this is permanent.

This adds continue-on-error: true to both audit steps to unblock releases. The security gate is currently non-functional regardless, so this does not regress our security posture.

A proper fix migrating to osv-scanner (reads yarn.lock directly, no npm registry dependency) is tracked in VL-7134.

Files changed

  • .github/workflows/publish.yml
  • .github/workflows/npmjs-release.yml

Fixes: VL-7134

@roshan-bitgo roshan-bitgo force-pushed the fix/audit-continue-on-error branch from 3286efa to 92f408a Compare July 15, 2026 11:29
@linear-code

linear-code Bot commented Jul 15, 2026

Copy link
Copy Markdown
Contributor

VL-7134

@roshan-bitgo roshan-bitgo changed the title ci(publish): skip broken yarn audit step ci(root): skip broken yarn audit step in release workflows Jul 15, 2026

@diksha190 diksha190 left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM , Approving with the understanding that this is a pragmatic hotfix.

Rationale:

  • The yarn audit step is already non-functional due to npm retiring the legacy security endpoint (HTTP 410), so continue-on-error: true doesn't regress our security posture, it just acknowledges reality
  • This unblocks critical releases that are currently stuck
  • The change is minimal, low-risk, and well-documented
  • Follow-up migration to osv-scanner is committed in the PR description

@roshan-bitgo roshan-bitgo merged commit 2e5534f into master Jul 15, 2026
22 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants