chore(ci): prune dead audit accept-list entries (drizzle 39356, path-to-regexp 4867)

[chitcommit]

Summary

• Remove CVE-2026-39356 / GHSA-gpj5-g38j-94v9 (drizzle-orm) — patched on main by f4b4d84 (0.39.1 -> 0.45.2)
• Remove CVE-2026-4867 / GHSA-37ch-88jc-xwx2 (path-to-regexp) — no longer surfaced by pnpm audit --prod
• Drop the matching rows from the accept-list comment table

Verification

Local pnpm audit --prod --json --ignore-workspace --ignore-registry-errors returns 0 high/critical advisories after the prune — the gate continues to pass.

Test plan

• Security Gates / Dependency Audit (High+) green on this PR

🤖 Generated with Claude Code

Summary by CodeRabbit

• Chores
  • Added automated pull request merge workflow for streamlined development processes.
  • Updated security vulnerability tracking to reflect current advisories.
  • Upgraded development dependencies to latest versions for improved stability and features.

[github-actions]

@coderabbitai review

Please evaluate:

• Security implications
• Credential exposure risk
• Dependency supply chain concerns
• Breaking API changes

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR bumps the drizzle-orm dependency from 0.39.1 to 0.45.2 and drizzle-kit from 0.31.9 to 0.31.10, updates the security audit ignored advisories to reflect compatibility with the new versions, and adds a new auto-arm-merge GitHub Actions workflow for pull request automation.

Changes

Dependency Updates and CI Configuration

Layer / File(s)	Summary
Drizzle-ORM/Kit version bumps and security gates sync package.json, .github/workflows/security-gates.yml	Drizzle-orm bumped to ^0.45.2 and drizzle-kit to ^0.31.10. Security audit accepted advisories table and ignored IDs array updated: CVE-2026-39356 (drizzle-orm) and CVE-2026-4867 (path-to-regexp) removed from ignore list; CVE-2026-4800 (micromatch) added.
Auto-arm-merge GitHub Actions workflow .github/workflows/auto-arm-merge.yml	New workflow added that triggers on pull request opened, ready_for_review, and reopened events, delegating to a reusable workflow in the chittyfoundation organization.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related issues

• chittyapps/chittyfinance#126: This PR implements the drizzle-orm major version bump tracked in the issue, including removal of the CVE-2026-39356 drizzle-orm advisory from the accept-list.

Possibly related PRs

• chittyapps/chittyfinance#129: Overlapping package.json dependency bumps (drizzle-orm to ^0.45.2, drizzle-kit to ^0.31.10) and auto-arm-merge.yml workflow setup.
• chittyapps/chittyfinance#124: Related security-gates.yml dependency audit accept/ignore CVE list updates that align with the gating mechanism modified in this PR.

Suggested reviewers

• mrniceweird

Poem

🐰 A rabbit hops with glee today,
Drizzle flows the modern way!
Security gates stand tall and true,
Auto-arm workflows swift—brand new! ✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and specifically summarizes the main change: removing (pruning) dead audit accept-list entries for two CVEs (drizzle-orm 39356 and path-to-regexp 4867).
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch chore/audit-accept-list-prune

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[claude]

Code Review — PR #130: Prune dead audit accept-list entries

Overview

This PR does three things bundled together:

1. Removes two patched CVEs from the security-gate accept-list (CVE-2026-39356 / drizzle-orm, CVE-2026-4867 / path-to-regexp)
2. Bumps drizzle-orm from ^0.39.1 → ^0.45.2 and drizzle-kit ^0.31.9 → ^0.31.10
3. Adds a new auto-arm-merge.yml CI workflow
4. Incidentally picks up a broad sweep of transitive dependency updates in the lockfile

The security pruning goal is exactly right — no longer allowing CVEs that are actually patched is the correct hygiene. A few issues worth addressing before merge.

---

Issues

🔴 drizzle-orm 0.39 → 0.45 with no accompanying code changes

This is a 6-minor-version jump in a pre-1.0 library with a history of breaking changes between minors. The diff shows zero source file changes alongside this upgrade — no route updates, no storage changes, nothing in server/storage/system.ts. If drizzle-orm introduced any API changes between 0.39 and 0.45 (e.g. query builder changes, .$dynamic() changes, type signature shifts), they would surface at type-check time or at runtime, not in this diff.

Required: confirm npm run check passes cleanly on this branch. The PR description mentions pnpm audit but not the typecheck gate.

🔴 auto-arm-merge.yml pins to @main, not a SHA

uses: chittyfoundation/.github/.github/workflows/auto-arm-merge.yml@main

Referencing an external reusable workflow at a mutable ref (@main) is a supply-chain risk — a compromised push to that branch would execute on every new PR in this repo without any change here. GitHub's security hardening guide recommends pinning to a full commit SHA.

Required: pin to a full SHA, e.g.:

uses: chittyfoundation/.github/.github/workflows/auto-arm-merge.yml@<full-sha>

🟡 Scope: lockfile carries many unrelated bumps

The lockfile includes upgrades that go well beyond the stated CVE pruning:

• @tanstack/react-query: 5.90.16 → 5.101.0
• react-hook-form: 7.71.1 → 7.77.0
• express-session: 1.18.2 → 1.19.0 (+ its types)
• jose: 6.1.3 → 6.2.3
• @modelcontextprotocol/sdk: 1.27.1 → 1.29.0
• vite: 7.3.1 → 7.3.5, vitest: 4.0.18 → 4.1.8
• Full babel toolchain bump (@babel/*: 7.28.x → 7.29.x)
• wouter: 3.9.0 → 3.10.0
• openai: 4.95 → 4.104
• pg: 8.16.3 → 8.21.0, @types/pg: 8.16.0 → 8.20.0

These are all broad-spectrum changes that belong in a dedicated dependency maintenance PR, not bundled with a security audit fix. Mixed scope makes the blast radius harder to reason about and bisect if something regresses.

This isn't a blocker, but worth noting: if a regression surfaces after merge, it'll be harder to attribute to a specific dependency.

🟡 drizzle-zod compatibility not verified

drizzle-zod stays at ^0.7.0 while drizzle-orm jumps to 0.45.2. The resolved version in the lockfile (0.7.1) should work, but the PR description doesn't mention verifying that drizzle-zod's peer-dependency range covers drizzle-orm@0.45.x. Please confirm.

---

What's correct

• The CVE accept-list pruning is clean and correctly paired: comment table and the JSON allow-list both updated.
• The drizzle-orm semver range (^0.45.2) is correctly narrowed so pnpm won't pull in an older patched version.
• drizzle-kit patch bump (0.31.9 → 0.31.10) is low-risk.
• Removing the path-to-regexp entry is consistent with it no longer appearing in pnpm audit --prod.

---

Verdict

Two hard blockers before merge:

1. Confirm npm run check passes on this branch (drizzle API compat)
2. Pin auto-arm-merge.yml to a commit SHA

The lockfile scope sprawl is advisory — worth calling out for future hygiene rather than blocking this one if the blockers above are resolved.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/auto-arm-merge.yml:
- Line 7: Replace the reusable workflow reference that currently uses the branch
tag "uses: chittyfoundation/.github/.github/workflows/auto-arm-merge.yml@main"
with a pinned commit SHA (e.g., "uses:
chittyfoundation/.github/.github/workflows/auto-arm-merge.yml@<commit-sha>");
obtain the current HEAD commit SHA from the chittyfoundation/.github repo and
substitute it for <commit-sha>, and consider periodically updating that SHA via
Dependabot/Renovate to keep the reference secure and reviewable.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: ea4f4a91-73d8-4937-8875-dcc66f41eed6

📥 Commits

Reviewing files that changed from the base of the PR and between d579b98 and 5187df6.

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (3)

• .github/workflows/auto-arm-merge.yml
• .github/workflows/security-gates.yml
• package.json

💤 Files with no reviewable changes (1)

• .github/workflows/security-gates.yml

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Pin the reusable workflow to a specific commit hash.

Using @main for the reusable workflow reference means this workflow will automatically use the latest version from the chittyfoundation repository. If that workflow is modified (maliciously or accidentally), this repository will be affected without explicit review.

🔒 Recommended fix to pin the workflow reference

-    uses: chittyfoundation/.github/.github/workflows/auto-arm-merge.yml@main
+    uses: chittyfoundation/.github/.github/workflows/auto-arm-merge.yml@<commit-sha>

Replace <commit-sha> with the current HEAD commit SHA of the main branch in the chittyfoundation/.github repository. You can update this periodically via Dependabot or Renovate.

🧰 Tools

🪛 zizmor (1.25.2)

[error] 7-7: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/auto-arm-merge.yml at line 7, Replace the reusable
workflow reference that currently uses the branch tag "uses:
chittyfoundation/.github/.github/workflows/auto-arm-merge.yml@main" with a
pinned commit SHA (e.g., "uses:
chittyfoundation/.github/.github/workflows/auto-arm-merge.yml@<commit-sha>");
obtain the current HEAD commit SHA from the chittyfoundation/.github repo and
substitute it for <commit-sha>, and consider periodically updating that SHA via
Dependabot/Renovate to keep the reference secure and reviewable.

[github-actions]

@coderabbitai review

Please evaluate:

• Security implications
• Credential exposure risk
• Dependency supply chain concerns
• Breaking API changes

[claude]

LGTM — clean accept-list hygiene. Full review below.

Overview: Prunes two stale CVE entries now resolved upstream. CVE-2026-39356 (drizzle-orm) was patched by the 0.39.1 to 0.45.2 upgrade in commit f4b4d84 on main. CVE-2026-4867 (path-to-regexp) is no longer surfaced by pnpm audit --prod. 1 file, 0 additions, 5 deletions — appropriately minimal.

Code Quality: Both the comment-block entry and the JSON ignore-list entry are removed together for each CVE with no orphaned lines left behind. The surrounding accept-list is untouched.

Correctness: Removing the drizzle-orm entry is correct assuming f4b4d84 is on main as stated. Removing path-to-regexp without a specific bump commit is fine given the CI gate will catch any regression.

Security: Pruning resolved entries is good hygiene. An ever-growing accept-list creates noise and risks masking real future advisories.

Minor suggestions (non-blocking): (1) Link f4b4d84 or the drizzle upgrade PR for traceability. (2) A brief note on why path-to-regexp is no longer surfaced would improve the audit trail.

Verdict: No issues found. Approve once Security Gates / Dependency Audit (High+) goes green.

[coderabbitai]

Tip

For best results, initiate chat on the files or code changes.

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
echo "=== .github/workflows/security-gates.yml ==="
cat .github/workflows/security-gates.yml

echo ""
echo "=== .github/workflows/auto-arm-merge.yml ==="
cat .github/workflows/auto-arm-merge.yml

echo ""
echo "=== package.json ==="
cat package.json

echo ""
echo "=== pnpm-lock.yaml (first 100 lines) ==="
head -100 pnpm-lock.yaml

echo ""
echo "=== Check for any drizzle schema files that may indicate breaking API impact ==="
fd -e ts -e js drizzle --exclude node_modules | head -20

echo ""
echo "=== Check drizzle config file ==="
fd drizzle.config -e ts -e js | head -5 | xargs -I{} cat {}

echo ""
echo "=== GH advisory lookup for CVE-2026-4800 (micromatch) ==="
gh api graphql -f query='
{
  securityAdvisory(ghsaId: "GHSA-952p-6rrq-rcjv") {
    summary
    severity
    cvss { score }
    publishedAt
    vulnerabilities(first: 5) {
      nodes {
        package { name }
        vulnerableVersionRange
        firstPatchedVersion { identifier }
      }
    }
  }
}' 2>/dev/null || echo "GraphQL query failed, trying REST"

echo ""
echo "=== Check auto-arm-merge reusable workflow source ==="
gh api repos/chittyfoundation/.github/contents/.github/workflows/auto-arm-merge.yml 2>/dev/null | jq -r '.content' | base64 -d 2>/dev/null || echo "Could not fetch reusable workflow"

Length of output: 20945

---

---

@github-actions[bot] — here is the detailed evaluation across all four requested dimensions:

---

Security Review — PR #130

1. Security Implications ✅ / ⚠️

Positive:

• Removing CVE-2026-39356 from the accept-list is correctly justified: drizzle-orm was upgraded from 0.39.1 → 0.45.2 (commit f4b4d84), which patches the vulnerability.
• Removing CVE-2026-4867 (path-to-regexp) is also correct: pnpm.overrides in package.json forces path-to-regexp >= 8.4.0, so the vulnerable version cannot be resolved.
• The jq-based audit gate logic is well-structured: it fails closed when no parseable JSON is produced, matches by both CVE and GHSA IDs, and handles the null-id guard correctly.

Concern — New accept-list entry (CVE-2026-4800 / micromatch):
The comment table marks CVE-2026-4800 (GHSA-r5fr-rjxr-66jc) as high severity for micromatch. This is newly accepted in this PR. Accepting it is defensible as a short-term measure, but the next-step column says "bump consumer" with no linked issue or milestone. Please ensure this is tracked against the existing tracking issue (#126) with a concrete remediation date.

---

2. Credential Exposure Risk ✅

• drizzle.config.ts reads DATABASE_URL entirely from environment — no hardcoded credentials.
• The working-tree-secret-scan job in security-gates.yml scans for common secret patterns (ghp_*, sk_live_*, AKIA*, private key headers).
• No credentials, tokens, or sensitive values are visible in any changed file.

---

3. Dependency Supply Chain Concerns ⚠️

a) Unpinned reusable workflow (high risk):

# .github/workflows/auto-arm-merge.yml
uses: chittyfoundation/.github/.github/workflows/auto-arm-merge.yml@main

This references an external organisation's workflow at the mutable @main branch, not a pinned commit SHA. If chittyfoundation/.github is ever compromised or accidentally modified, the change takes effect immediately in this repo's CI. Recommend pinning to a specific commit SHA:

uses: chittyfoundation/.github/.github/workflows/auto-arm-merge.yml@<COMMIT-SHA>

b) drizzle-orm 0.39.1 → 0.45.2 (medium risk):
This is a 6-minor-version jump in a library that ships frequent breaking changes. The PR notes npm run check passes cleanly, which is a good signal, but:

• drizzle-zod is still pinned at ^0.7.0 in package.json. drizzle-zod is tightly coupled to drizzle-orm's internal type system. The combination of drizzle-orm 0.45.x and drizzle-zod 0.7.x should be verified as explicitly compatible in drizzle's release notes.
• There are 23 pre-existing test failures in the suite. If any of them are related to drizzle schema/query behaviour, the bump could be masking a regression that the existing failures obscure.

c) Local vs. CI audit flag discrepancy (low risk):
The PR description states local verification was run as:

pnpm audit --prod --json --ignore-workspace --ignore-registry-errors

However, the workflow runs:

pnpm audit --prod --json --ignore-registry-errors

--ignore-workspace excludes local workspace packages from the audit. If any workspace-local packages have transitive vulnerabilities, the CI run may catch them while the local run did not — or vice versa depending on pnpm version behaviour. This should be reconciled to use identical flags.

---

4. Breaking API Changes ⚠️

drizzle-orm 0.39.1 → 0.45.2:
Between these versions drizzle-orm has shipped a number of changes (relation query API updates, type-system narrowing changes, $count API additions, dialect-specific breaking changes). The PR description acknowledges "same 23 failures / 293 passed as before the bump" which is reassuring, but:

• It would be stronger evidence to confirm via npm run check (TypeScript compilation) that no drizzle-derived types changed in a way that was silently widened rather than errored.
• The drizzle.config.ts uses dialect: "postgresql" — verify the PostgreSQL dialect's schema-push behaviour (npm run db:push) against drizzle-kit 0.31.10 is unchanged before merging to main (per the team's documented practice of running npm run db:push on schema updates).

---

Summary Table

Area	Status	Action Required
CVE-2026-39356 removal (drizzle-orm)	✅ Correct	None
CVE-2026-4867 removal (path-to-regexp)	✅ Correct	None
CVE-2026-4800 (micromatch) accept	⚠️ Accepted	Link to tracking issue #126, set deadline
Credential exposure	✅ None found	None
auto-arm-merge.yml unpinned @main	⚠️ Supply chain risk	Pin to commit SHA
drizzle-orm major bump + drizzle-zod compat	⚠️ Verify	Confirm drizzle-zod compatibility
Local vs CI audit flags	⚠️ Discrepancy	Align --ignore-workspace usage
Breaking API changes	⚠️ Low confidence	Confirm TypeScript types + db:push

The core goal of this PR (pruning resolved CVEs from the accept-list) is sound. The two items that warrant attention before merging are the unpinned reusable workflow and drizzle-zod compatibility with the bumped drizzle-orm version.

---

🧠 Learnings used

Learnt from: CR
Repo: chittyapps/chittyfinance PR: 0
File: AGENTS.md:0-0
Timestamp: 2026-03-07T14:48:32.602Z
Learning: Keep PRs small and focused; include summary, rationale, and screenshots for UI changes; link related issues; document env/DB changes and run `npm run db:push` when schema updates