npm run audit:depsrunsnpm auditagainst the official npm registry.npm run audit:licensessummarizes dependency licenses.- Dependabot is configured for npm and GitHub Actions updates.
- High-severity vulnerabilities should block releases and be fixed or explicitly removed from the dependency graph.
- Moderate vulnerabilities are triaged case by case when:
- the upstream fix is breaking,
- no fix is available yet, or
- the vulnerable path is not reachable in ClawBox runtime behavior.
react-syntax-highlighterupgrade should be evaluated carefully because the available audit fix is breaking.extract-zipcurrently depends onyauzl; ifnpm auditstill reports that chain, prefer replacing the dependency over suppressing the issue long term.
Before tagging a release:
- Run
npm run audit:deps. - Review any remaining findings.
- Document accepted residual risk in the release PR or release notes when an upstream fix is unavailable.