Add pnpm audit security gate to CI to block vulnerable dependency merges

[Jagadeeshftw]

Description

The CI pipeline has no dependency vulnerability scanning. A pull request that upgrades or introduces a package with a known high/critical CVE can be merged without any automated warning. pnpm audit --audit-level=high must be added as a required CI step that fails the pipeline when high or critical vulnerabilities are detected in the dependency tree.

Requirements and context

• Add a pnpm audit --audit-level=high --json step to .github/workflows/ci.yml
• Parse the JSON output to post a PR comment listing affected packages and CVE IDs when vulnerabilities are found
• Add a .npmrc or pnpm audit exclusion mechanism for accepted/false-positive advisories with a mandatory comment explaining the exception
• Must be secure, tested, and documented
• Should be efficient and easy to review

Suggested execution

Fork the repo and create a branch

git checkout -b feature/ci-pnpm-audit-gate

Implement changes

• Update/Write: .github/workflows/ci.yml — add audit step with PR comment on failure
• Update/Write: .github/workflows/audit-comment.js — script to parse audit JSON and format PR comment
• Update/Write: docs/security.md — document how to add audit exceptions with justification
• Write comprehensive tests: N/A (CI configuration; validate with a test dependency having known CVE)
• Add documentation: docs/security.md
• Include clear code comments and types
• Validate security assumptions

Test and commit

• Run tests: pnpm test (or pnpm test:coverage)
• Cover edge cases: no vulnerabilities (passes), high severity found (fails with comment), accepted exception in exclusion list (passes with annotation)
• Include test output and security notes

Example commit message

ci: add pnpm audit security gate blocking high/critical CVEs

Guidelines

• Minimum 95 percent test coverage
• Clear documentation
• Timeframe: 96 hours