Audit npm in CI

[milt]

Dependabot is nice but we only get alerts when code hits master. Add npm audit to the CI workflow so it fails if any sec issues are detected!

[kelvinqian00]

I'm curious how this works - if there are security vulnerabilities, how exactly will npm audit cause CI to fail? Nonzero exit code?

[milt]

Yep. It's zero if everything's OK, but if there is any vulnerability it should fail

[milt]

I'd prefer a flag on npm install that makes it fail if there are any vulnerabilities, since it runs npm audit anyways, but for some reason that doesn't seem to be a thing?