Skip to content

CONTRIBUTING.md

Latest commit

 

History

History
60 lines (44 loc) · 1.64 KB

CONTRIBUTING.md

File metadata and controls

60 lines (44 loc) · 1.64 KB

Contributing to AgentGate

Development Workflow

  1. Fork and clone the repository
  2. Install dependencies: pnpm install
  3. Create a feature branch: git checkout -b feat/my-feature
  4. Make changes, write tests
  5. Run checks locally before pushing: 
    pnpm build
pnpm test
pnpm audit --audit-level=high
  6. Open a pull request against main

CI Pipeline

Pull requests run the following checks automatically:

  • Installpnpm install --frozen-lockfile
  • Buildpnpm build
  • Testpnpm test
  • Dependency Auditpnpm audit --audit-level=high

All checks must pass before merging.

Handling Audit Failures

The CI pipeline runs pnpm audit --audit-level=high, which fails on high or critical severity vulnerabilities. Moderate and low severities are reported but do not block the build.

When the audit fails

  1. Check what's vulnerable:

    pnpm audit

  2. Update the vulnerable package:

    pnpm update <package-name>

  3. If no fix is available yet:

    • Check the advisory for workarounds
    • If the vulnerability doesn't affect your usage (e.g., dev-only dependency, unreachable code path), document the decision in your PR description
    • Use pnpm audit --fix to attempt automatic resolution
    • As a last resort, consider replacing the dependency

  4. Transitive dependencies: If the vulnerability is in a transitive dependency you don't control, open an issue upstream and document it in your PR

Running the audit locally

# Same command as CI
pnpm audit --audit-level=high

# Full report including low/moderate
pnpm audit