fix(securirty): fix security

.github/workflows/check-vulnerabilities.yml

@@ -0,0 +1,42 @@
+name: 'Package Audit and Comment on Vulnerabilities'
+
+on:
+    pull_request:
+        branches:
+            - main
+        paths:
+            - '**/package.json'
+            - '**/pnpm-lock.yaml'
+
+jobs:
+    audit:
+        runs-on: ubuntu-latest
+        steps:
+            - name: Checkout repository
+              uses: actions/checkout@v4
+
+            - name: Install dependencies
+              run: pnpm install
+
+            - name: Run pnpm audit
+              id: audit
+              run: |
+                  result=$(pnpm audit --json)
+                  echo "Audit result: $result"
+                  echo "$result" > audit-result.json
+                  if echo "$result" | grep -q '"advisory"'; then
+                    echo "Vulnerabilities found!"
+                    exit 1
+                  else
+                    echo "No vulnerabilities found."
+                  fi
+
+            - name: Post comment on PR if vulnerabilities found
+              if: failure()
+              uses: peter-evans/create-or-update-comment@v2
+              with:
+                  issue-number: ${{ github.event.pull_request.number }}
+                  body: |
+                      🚨 **Vulnerabilities Found** 🚨
+                      There are vulnerabilities detected during the `pnpm audit`. Please check the audit results.
+                      You can run `pnpm audit` locally to view more details.

.github/workflows/codeql.yml

@@ -50,4 +50,3 @@ jobs:
               uses: github/codeql-action/analyze@v3
               with:
                   category: '/language:${{matrix.language}}'
-

.github/workflows/publish-nt-css.yml

@@ -2,8 +2,7 @@ name: 'Publish NT CSS Framework'
 
 on:
     release:
-        branches:
-            - main
+        types: [created]
 
 jobs:
     build-and-publish:

.github/workflows/snyk.yml

@@ -1,22 +1,22 @@
 name: Snyk Security Check
 on:
-  push:
-  pull_request:
+    push:
+    pull_request:
 
 jobs:
-  security:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v3
-      - name: Set up Node.js
-        uses: actions/setup-node@v3
-        with:
-          node-version: '20'
-      - name: Install pnpm
-        run: npm install -g pnpm
-      - name: Install dependencies with pnpm
-        run: pnpm install --no-frozen-lockfile
-      - name: Run Snyk to check for vulnerabilities
-        uses: snyk/actions/node@master
-        env:
-          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+    security:
+        runs-on: ubuntu-latest
+        steps:
+            - uses: actions/checkout@v3
+            - name: Set up Node.js
+              uses: actions/setup-node@v3
+              with:
+                  node-version: '20'
+            - name: Install pnpm
+              run: npm install -g pnpm
+            - name: Install dependencies with pnpm
+              run: pnpm install --no-frozen-lockfile
+            - name: Run Snyk to check for vulnerabilities
+              uses: snyk/actions/node@master
+              env:
+                  SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}

apps/nt-stylesheet/package.json

@@ -39,6 +39,7 @@
         "nx": "^20.2.2",
         "typescript": "^5.7.2",
         "vite": "^5.4.11",
+        "vite-plugin-dts": "^4.4.0",
         "vite-plugin-sass-dts": "^1.3.29",
         "vitest": "2.0.0"
     },
@@ -48,8 +49,7 @@
         "postcss": "^8.4.49",
         "postcss-import": "^16.1.0",
         "postcss-nesting": "^13.0.1",
-        "tailwindcss": "^3.4.16",
-        "vite-plugin-dts": "^4.4.0"
+        "tailwindcss": "^3.4.16"
     },
     "publishConfig": {
         "access": "public"