Skip to content

fix: Make the dependency audit skill scalable, make all calls through the cjs script#51

Open
Cesar-M-Diaz wants to merge 6 commits into
mainfrom
cesar/dependency-updates
Open

fix: Make the dependency audit skill scalable, make all calls through the cjs script#51
Cesar-M-Diaz wants to merge 6 commits into
mainfrom
cesar/dependency-updates

Conversation

@Cesar-M-Diaz

@Cesar-M-Diaz Cesar-M-Diaz commented Jul 16, 2026

Copy link
Copy Markdown
Collaborator

Summary by CodeRabbit

  • New Features
    • Reworked dependency auditing to run a bundled helper with batched NCM lookups, capped concurrency, and remediation verification.
    • Adds deterministic Markdown reporting (executive summary + full report), with optional saved report output; JSON output is still supported.
  • Bug Fixes
    • Prevents reruns/reconstruction when helper output is incomplete or fails integrity checks; adds clearer network/auth failure handling and stricter remediation/version guardrails.
  • Documentation
    • Updated skill instructions for markdown vs JSON behavior and report sourcing rules.
  • Tests
    • Expanded unit coverage for helper execution, rendering/integrity validation, and saved-report artifacts/truncation limits.

@coderabbitai

coderabbitai Bot commented Jul 16, 2026

Copy link
Copy Markdown

Review Change Stack

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

  • @coderabbitai resume to resume automatic reviews.
  • @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

  • ▶️ Resume reviews
  • 🔍 Trigger review

Walkthrough

Adds a bundled NCM dependency audit CLI with dependency collection, batched queries, retries, recovery, remediation verification, validated rendering, secure report persistence, updated skill instructions, and extensive unit coverage.

Changes

Dependency audit

Layer / File(s) Summary
Dependency collection and CLI export
skills/ns-audit-dependencies/collect-dependencies.cjs
Exports collectDependencies, adjusts pnpm parsing state, and changes CLI failures to thrown errors with exit codes.
NCM client and audit primitives
skills/ns-audit-dependencies/audit-dependencies.cjs
Adds GraphQL batching, retries, failure classification, semantic-version handling, content compaction, and CLI helpers.
Audit orchestration and remediation
skills/ns-audit-dependencies/audit-dependencies.cjs, packages/core/test/unit/skills/audit-dependencies-script.test.ts
Implements bounded concurrency, recovery, vulnerability findings, remediation verification, progress reporting, and output integrity checks.
Report validation and rendering
skills/ns-audit-dependencies/render-audit-report.cjs, packages/core/test/unit/skills/audit-dependencies-renderer.test.ts
Adds summary validation, Markdown-safe rendering, coverage gaps, remediation details, and deterministic renderer tests.
Report persistence and CLI integration
skills/ns-audit-dependencies/audit-report-output.cjs, skills/ns-audit-dependencies/audit-dependencies.cjs, packages/core/test/unit/skills/audit-dependencies-output.test.ts
Persists reports atomically with secure permissions, handles filename collisions, and integrates summary, Markdown, and JSON output modes.
Skill workflow and guardrails
skills/ns-audit-dependencies/SKILL.md
Updates helper execution, injected-result handling, incomplete-audit rules, report usage, remediation guardrails, and JSON behavior.

Estimated code review effort: 4 (Complex) | ~60 minutes

Sequence Diagram(s)

sequenceDiagram
  participant Skill
  participant audit-dependencies.cjs
  participant collectDependencies
  participant NCM
  participant renderAuditReport
  participant audit-report-output
  Skill->>audit-dependencies.cjs: run audit command
  audit-dependencies.cjs->>collectDependencies: collect dependency tree
  audit-dependencies.cjs->>NCM: fetch dependency and remediation scores
  NCM-->>audit-dependencies.cjs: scores, failures, or omitted responses
  audit-dependencies.cjs->>renderAuditReport: validate and render summary
  renderAuditReport->>audit-report-output: save report and executive summary
  audit-report-output-->>Skill: linked authoritative summary
Loading

Possibly related issues

  • nodesource/nsolid-plugin#50 — Covers the scalable, resilient, remediation-aware dependency audit behavior implemented here.

Suggested reviewers: dobleuber, mafesernaarboleda, ehortua

Poem

I hopped through batches, swift and bright,
Found risky leaves and versions right.
Retries bounced; reports stayed whole.
Safe links guided every goal.
A bunny cheers the audit’s cast.

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
✅ Passed checks (4 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly matches the main change: moving dependency audit work through the CJS helper and improving scalability.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch cesar/dependency-updates

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@skills/ns-audit-dependencies/audit-dependencies.cjs`:
- Around line 719-723: Update the score handling in activeVulnerabilities so
non-array or missing pkg.scores is treated as an invalid-response and the
package remains unchecked, rather than defaulting to an empty clean result.
Preserve filtering and compactVulnerability mapping only for valid score arrays.
- Around line 200-206: Bound all nested NCM-provided finding content, not just
the package count controlled by MAX_FINDINGS. Extend compactStringList and the
finding-processing paths to cap collection sizes and individual string lengths
for vulnerabilities, assessments, ranges, and related fields, while tracking and
reporting how many items or characters were truncated. Apply the same limits
consistently across the other finding aggregation and output paths.

In `@skills/ns-audit-dependencies/SKILL.md`:
- Line 13: Update the fenced command block in SKILL.md to specify the Bash
language by changing its opening fence to ```bash, while preserving the block’s
existing contents and closing fence.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 32b3bbbc-59a9-4908-a6d2-b3f6d40420a5

📥 Commits

Reviewing files that changed from the base of the PR and between ace2ec3 and f3de91b.

📒 Files selected for processing (4)
  • packages/core/test/unit/skills/audit-dependencies-script.test.ts
  • skills/ns-audit-dependencies/SKILL.md
  • skills/ns-audit-dependencies/audit-dependencies.cjs
  • skills/ns-audit-dependencies/collect-dependencies.cjs

Comment on lines +200 to +206
function compactStringList (value) {
const values = Array.isArray(value) ? value : typeof value === 'string' ? [value] : []
return Array.from(new Set(values
.filter(item => typeof item === 'string')
.map(item => item.trim())
.filter(Boolean)))
}

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🚀 Performance & Scalability | 🟠 Major | ⚡ Quick win

Bound each finding’s nested content.

MAX_FINDINGS limits package count only; NCM-provided vulnerabilities, assessments, ranges, and strings remain unbounded. A verbose response can still generate arbitrarily large stdout and agent context. Cap collection sizes/string lengths and report truncation counts.

Also applies to: 274-309, 724-739

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@skills/ns-audit-dependencies/audit-dependencies.cjs` around lines 200 - 206,
Bound all nested NCM-provided finding content, not just the package count
controlled by MAX_FINDINGS. Extend compactStringList and the finding-processing
paths to cap collection sizes and individual string lengths for vulnerabilities,
assessments, ranges, and related fields, while tracking and reporting how many
items or characters were truncated. Apply the same limits consistently across
the other finding aggregation and output paths.

Comment thread skills/ns-audit-dependencies/audit-dependencies.cjs Outdated
Comment thread skills/ns-audit-dependencies/SKILL.md Outdated
  - remove the 50-package findings limit
  - bound oversized NCM strings with truncation accounting
  - treat malformed score responses as unchecked
  - match resolved versions returned for latest requests
  - support SemVer build metadata in remediation checks
  - update audit instructions and regression coverage

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@skills/ns-audit-dependencies/render-audit-report.cjs`:
- Around line 30-67: Extend validateAuditSummary to validate every nested object
and collection required by validation and rendering—including vulnerabilities,
packages, batchFailures, and each finding.moduleRisks—before any property
dereference or iteration. For every missing or malformed structure, throw
integrityError so malformed summaries consistently preserve the
AUDIT_REPORT_INTEGRITY_ERROR contract; keep valid-summary counting behavior
unchanged.
- Around line 51-67: Update the summary validation in render-audit-report.cjs to
validate batchFailures and remediation.failures counters as non-negative values
and assert each total matches the sum represented by its byReason breakdown,
preventing contradictory rendered totals. Extend the existing integrity-error
regression tests with cases covering both mismatch types, while preserving the
current validation behavior.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: e348be1c-f3fc-4eb7-95d0-6a57c0e0d4c4

📥 Commits

Reviewing files that changed from the base of the PR and between e729559 and d85e005.

📒 Files selected for processing (5)
  • packages/core/test/unit/skills/audit-dependencies-renderer.test.ts
  • packages/core/test/unit/skills/audit-dependencies-script.test.ts
  • skills/ns-audit-dependencies/SKILL.md
  • skills/ns-audit-dependencies/audit-dependencies.cjs
  • skills/ns-audit-dependencies/render-audit-report.cjs
🚧 Files skipped from review as they are similar to previous changes (2)
  • skills/ns-audit-dependencies/audit-dependencies.cjs
  • packages/core/test/unit/skills/audit-dependencies-script.test.ts

Comment thread skills/ns-audit-dependencies/render-audit-report.cjs Outdated
Comment thread skills/ns-audit-dependencies/render-audit-report.cjs

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@skills/ns-audit-dependencies/audit-report-output.cjs`:
- Around line 42-45: In the report-generation flow, capture an immutable
snapshot of summary before the awaited saveAuditReport call, then pass that
snapshot to both renderAuditReport and renderAuditSummary so persistence-time
mutations cannot change either output. Add a regression test covering mutation
of the original summary during save and verify the returned report and
executiveSummary remain consistent.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 73806ee3-86ad-4e3b-94bb-407ec1d68600

📥 Commits

Reviewing files that changed from the base of the PR and between 6df6534 and 484b31f.

📒 Files selected for processing (7)
  • packages/core/test/unit/skills/audit-dependencies-output.test.ts
  • packages/core/test/unit/skills/audit-dependencies-renderer.test.ts
  • packages/core/test/unit/skills/audit-dependencies-script.test.ts
  • skills/ns-audit-dependencies/SKILL.md
  • skills/ns-audit-dependencies/audit-dependencies.cjs
  • skills/ns-audit-dependencies/audit-report-output.cjs
  • skills/ns-audit-dependencies/render-audit-report.cjs
🚧 Files skipped from review as they are similar to previous changes (4)
  • skills/ns-audit-dependencies/SKILL.md
  • skills/ns-audit-dependencies/render-audit-report.cjs
  • skills/ns-audit-dependencies/audit-dependencies.cjs
  • packages/core/test/unit/skills/audit-dependencies-script.test.ts

Comment thread skills/ns-audit-dependencies/audit-report-output.cjs
@Cesar-M-Diaz
Cesar-M-Diaz force-pushed the cesar/dependency-updates branch from 484b31f to a3f47bb Compare July 17, 2026 15:59
if (result) {
state.hadResponse = true
const active = activeVulnerabilities(result)
const resultVersion = truncateNcmString(result.version)

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Line 741 calls truncateNcmString(result.version) without the truncation counter, then line 745 calls it again with ncmContentTruncation. If result.version exceeds 4096, the first call truncates without counting. The second call gets a string ≤ 4096 and won't truncate, so the truncation of this version goes uncounted.

if (!uncheckedByKey.has(key)) {
uncheckedByKey.set(key, {
name: requestedPackage.name,
version: pkg && pkg.version && requestedPackage.version === 'latest' ? pkg.version : requestedPackage.version,

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If a request was made with version latest and the batch fails before getting a response, recordUnchecked stores "latest" as the version string (since pkg.version is "latest" and requestedPackage.version === "latest" is true). The unchecked-packages report will show version: "latest", which is unhelpful — it does not tell the operator which version was actually installed and unchecked.


for (const vulnerability of finding.vulnerabilities.filter(item => !item.withdrawn)) {
for (const range of vulnerability.patched || []) {
const match = range.match(/(?:^|[\s|,(])>=?\s*v?(\d+\.\d+\.\d+(?:-[0-9A-Za-z.-]+)?)/)

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The patched-range regex (line 295) uses range.match(...) with no while loop, so it only captures the first boundary. The vulnerable-range regex (line 299-301) uses a while loop with /g flag to capture all. If an advisory specifies multiple patched ranges (e.g., >= 1.0.0 || >= 2.0.0), the second boundary is silently dropped.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants