From e8057fe517bcfa1ee8adbb867ea85187dcf68e63 Mon Sep 17 00:00:00 2001
From: Marcel <marcel@familienarchiv>
Date: Tue, 19 May 2026 13:56:03 +0200
Subject: [PATCH] chore(ci): add npm audit --audit-level=high gate to CI
 pipeline

Blocks merges when any HIGH or CRITICAL advisory enters the production
dependency tree. Runs after npm ci (or cache restore) and before lint,
so a failing audit surfaces immediately without wasting test time.

Closes the systemic gap from pre-prod audit finding F-22 (dependency
hygiene). Renovate automation is tracked separately.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 .gitea/workflows/ci.yml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/.gitea/workflows/ci.yml b/.gitea/workflows/ci.yml
index ae6228e2..d4ec6772 100644
--- a/.gitea/workflows/ci.yml
+++ b/.gitea/workflows/ci.yml
@@ -29,6 +29,10 @@ jobs:
         run: npm ci
         working-directory: frontend
 
+      - name: Security audit (no dev deps)
+        run: npm audit --audit-level=high --omit=dev
+        working-directory: frontend
+
       - name: Compile Paraglide i18n
         run: npx @inlang/paraglide-js compile --project ./project.inlang --outdir ./src/lib/paraglide
         working-directory: frontend