# Weekly dependency guard (QA-B0-02 durable fix): dependency rot must surface # as a red scheduled run, not wait for the next manual audit. Fails on any # high+ vulnerability in production deps; prints the outdated report either way. name: deps-audit on: schedule: - cron: '0 11 * * 1' # Mondays 11:00 UTC (~06:00 America/Chicago) workflow_dispatch: jobs: audit: runs-on: docker container: image: node:22-bookworm steps: - uses: actions/checkout@v4 - name: Install (lockfile-exact) run: npm ci - name: Audit production deps (fail on high or critical) run: npm audit --omit=dev --audit-level=high - name: Outdated report (informational) run: npm outdated || true