archy/scripts/audit-deps.sh

#!/bin/bash
set -euo pipefail
# SEC-203: Dependency audit — run npm audit and cargo audit.

REPO_ROOT="$(cd "$(dirname "$0")/.." && pwd)"

log() { echo -e "\033[1;34m[AUDIT]\033[0m $*"; }

main() {
  log "=== Dependency Audit ==="
  echo ""

  # Frontend — npm audit
  log "Running npm audit..."
  cd "$REPO_ROOT/neode-ui"
  npm audit --omit=dev 2>&1 | tail -20 || true
  echo ""

  # Backend — cargo audit (if installed)
  log "Checking for cargo-audit..."
  if command -v cargo-audit &>/dev/null; then
    log "Running cargo audit..."
    cd "$REPO_ROOT/core"
    cargo audit 2>&1 | tail -20 || true
  else
    log "cargo-audit not installed locally — run on build server:"
    log "  cargo install cargo-audit && cd core && cargo audit"
  fi

  echo ""

  # Check for pinned versions in Cargo.toml
  log "Checking Cargo.toml version pinning..."
  local unpinned
  unpinned=$(grep -E '^[a-z].*= "[^=><~]' "$REPO_ROOT/core/archipelago/Cargo.toml" 2>/dev/null | grep -v '= "' || echo "")
  if [ -z "$unpinned" ]; then
    log "  All Cargo dependencies appear pinned"
  else
    log "  WARNING: Some deps may not be pinned:"
    echo "$unpinned" | head -5 | sed 's/^/    /'
  fi

  # Check for pinned versions in package.json
  log "Checking package.json version pinning..."
  local npm_unpinned
  npm_unpinned=$(grep -E '"[^"]+": "\^|~' "$REPO_ROOT/neode-ui/package.json" | head -10 || echo "")
  if [ -n "$npm_unpinned" ]; then
    log "  NOTE: Some npm deps use ^ or ~ (normal for npm):"
    echo "$npm_unpinned" | head -5 | sed 's/^/    /'
  fi

  echo ""
  log "=== Audit Complete ==="
}

main "$@"
fix: prevent tokio runtime deadlock in credential issue/verify The credential issuance and verification handlers used Handle::block_on() directly inside the tokio runtime, causing a deadlock. Wrapped with block_in_place() to properly yield the runtime thread. Also completed full feature verification across all 25 test groups (~175 checks) on live server. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-03-09 07:43:12 +00:00			`#!/bin/bash`
			`set -euo pipefail`
			`# SEC-203: Dependency audit — run npm audit and cargo audit.`

			`REPO_ROOT="$(cd "$(dirname "$0")/.." && pwd)"`

			`log() { echo -e "\033[1;34m[AUDIT]\033[0m $*"; }`

			`main() {`
			`log "=== Dependency Audit ==="`
			`echo ""`

			`# Frontend — npm audit`
			`log "Running npm audit..."`
			`cd "$REPO_ROOT/neode-ui"`
			`npm audit --omit=dev 2>&1 \| tail -20 \|\| true`
			`echo ""`

			`# Backend — cargo audit (if installed)`
			`log "Checking for cargo-audit..."`
			`if command -v cargo-audit &>/dev/null; then`
			`log "Running cargo audit..."`
			`cd "$REPO_ROOT/core"`
			`cargo audit 2>&1 \| tail -20 \|\| true`
			`else`
			`log "cargo-audit not installed locally — run on build server:"`
			`log " cargo install cargo-audit && cd core && cargo audit"`
			`fi`

			`echo ""`

			`# Check for pinned versions in Cargo.toml`
			`log "Checking Cargo.toml version pinning..."`
			`local unpinned`
			`unpinned=$(grep -E '^[a-z].*= "[^=><~]' "$REPO_ROOT/core/archipelago/Cargo.toml" 2>/dev/null \| grep -v '= "' \|\| echo "")`
			`if [ -z "$unpinned" ]; then`
			`log " All Cargo dependencies appear pinned"`
			`else`
			`log " WARNING: Some deps may not be pinned:"`
			`echo "$unpinned" \| head -5 \| sed 's/^/ /'`
			`fi`

			`# Check for pinned versions in package.json`
			`log "Checking package.json version pinning..."`
			`local npm_unpinned`
			`npm_unpinned=$(grep -E '"[^"]+": "\^\|~' "$REPO_ROOT/neode-ui/package.json" \| head -10 \|\| echo "")`
			`if [ -n "$npm_unpinned" ]; then`
			`log " NOTE: Some npm deps use ^ or ~ (normal for npm):"`
			`echo "$npm_unpinned" \| head -5 \| sed 's/^/ /'`
			`fi`

			`echo ""`
			`log "=== Audit Complete ==="`
			`}`

			`main "$@"`