From 5b06b617e5a0220de07d59c3ec02225f20782020 Mon Sep 17 00:00:00 2001
From: Fred Visser <1458528+fredvisser@users.noreply.github.com>
Date: Wed, 13 Mar 2024 12:45:14 -0500
Subject: [PATCH 1/5] Add dependency review check

---
 .github/workflows/dependency-review.yml | 14 ++++++++++++++
 1 file changed, 14 insertions(+)
 create mode 100644 .github/workflows/dependency-review.yml

diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml
new file mode 100644
index 0000000000..f0b0eb07d8
--- /dev/null
+++ b/.github/workflows/dependency-review.yml
@@ -0,0 +1,14 @@
+name: 'Dependency Review'
+on: [pull_request]
+
+permissions:
+  contents: read
+
+jobs:
+  dependency-review:
+    runs-on: ubuntu-latest
+    steps:
+      - name: 'Checkout Repository'
+        uses: actions/checkout@v4
+      - name: 'Dependency Review'
+        uses: actions/dependency-review-action@v4
\ No newline at end of file

From 55c3bd14bf6daf4fbad74e6d64cc33da6ce04c6f Mon Sep 17 00:00:00 2001
From: Fred Visser <1458528+fredvisser@users.noreply.github.com>
Date: Mon, 18 Mar 2024 13:53:59 -0500
Subject: [PATCH 2/5] add summary in PR

---
 .github/workflows/dependency-review.yml | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml
index f0b0eb07d8..32974f3bec 100644
--- a/.github/workflows/dependency-review.yml
+++ b/.github/workflows/dependency-review.yml
@@ -11,4 +11,6 @@ jobs:
       - name: 'Checkout Repository'
         uses: actions/checkout@v4
       - name: 'Dependency Review'
-        uses: actions/dependency-review-action@v4
\ No newline at end of file
+        uses: actions/dependency-review-action@v4
+        with:
+          comment-summary-in-pr: always
\ No newline at end of file

From b965acb33daedf487967828f968258ce3822bfbe Mon Sep 17 00:00:00 2001
From: Fred Visser <1458528+fredvisser@users.noreply.github.com>
Date: Mon, 18 Mar 2024 15:26:02 -0500
Subject: [PATCH 3/5] fix permissions

---
 .github/workflows/dependency-review.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml
index 32974f3bec..a208388597 100644
--- a/.github/workflows/dependency-review.yml
+++ b/.github/workflows/dependency-review.yml
@@ -3,6 +3,7 @@ on: [pull_request]
 
 permissions:
   contents: read
+  pull-requests: write
 
 jobs:
   dependency-review:

From 2ca6b1d4c2ef1aa8657ea08c150b048b26b9b357 Mon Sep 17 00:00:00 2001
From: Fred Visser <1458528+fredvisser@users.noreply.github.com>
Date: Mon, 18 Mar 2024 16:58:22 -0500
Subject: [PATCH 4/5] remove npm audit and doc updates

---
 .github/workflows/main.yml | 5 -----
 CONTRIBUTING.md            | 6 +++---
 2 files changed, 3 insertions(+), 8 deletions(-)

diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
index 7ab04208e6..4bc5b6ef05 100644
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@ -58,11 +58,6 @@ jobs:
       # only informational so swallow error codes
       - run: npm outdated || exit 0
 
-      # Audit
-      - run: npm audit --only=prod
-      # https://github.com/ni/nimble/issues/801
-      # - run: npm audit --audit-level=critical
-
       # Build
       - run: npm run build
 
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
index b6570fceeb..8003ae7ad3 100644
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -79,9 +79,9 @@ When generating a change file, follow these guidelines:
 2. Write a brief but useful description with Nimble clients in mind. If making a major (breaking) change, explain what clients need to do to adopt it. The description can be plain text or [markdown](https://docs.github.com/en/get-started/writing-on-github/getting-started-with-writing-and-formatting-on-github/basic-writing-and-formatting-syntax), with newlines specified via `\n` if needed.
 3. If you prefer not to expose your email address to the world, [configure GitHub to "Keep my email address private"](https://github.com/settings/emails) before generating the change file.
 
-### NPM audit
+### Dependency Review
 
-The repository runs [`npm audit`](https://docs.npmjs.com/cli/v8/commands/npm-audit) to prevent submissions if any dependencies have known vulnerabilities. This can occur during on a PR that introduces a new dependency version or on an unrelated PR if a vulnerability was recently reported on an existing dependency. If this check fails, our options include:
+The repository runs the [Dependency Review](https://github.com/actions/dependency-review-action) action to prevent submissions if any dependencies have known vulnerabilities. This can occur during on a PR that introduces a new dependency version or on an unrelated PR if a vulnerability was recently reported on an existing dependency. If this check fails, our options include:
 
 #### Vulnerabilities with fixes available
 
@@ -93,7 +93,7 @@ The repository runs [`npm audit`](https://docs.npmjs.com/cli/v8/commands/npm-aud
 If a fix for the vulnerability isn't available or if it isn't practical to uptake the fix, our options include:
 
 1. Remove the vulnerable dependency and find a different way to achieve the same functionality.
-2. Temporarily use a more lenient [audit level](https://docs.npmjs.com/cli/v8/commands/npm-audit#audit-level) for this repository (e.g. allowing `low` or `moderate` vulnerabilities). We should ensure there is an issue on the dependency's repository asking them to fix the vulnerability and also file an issue against this repository to track fixing the vulnerability and restoring strict auditing.
+2. Dismiss the alert in the [GitHub Security - Dependabot](https://github.com/ni/nimble/security/dependabot) dashboard, and document your rationale for doing so. We should ensure there is an issue on the dependency's repository asking them to fix the vulnerability and also file an issue against this repository to track fixing the vulnerability and restoring strict auditing.
 
 
 ### Chromatic visual component tests

From b6042ef885608e39c6696de65d4aad3e2b637299 Mon Sep 17 00:00:00 2001
From: Fred Visser <1458528+fredvisser@users.noreply.github.com>
Date: Tue, 26 Mar 2024 08:18:01 -0500
Subject: [PATCH 5/5]  comment-summary-in-pr: on-failure

---
 .github/workflows/dependency-review.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml
index a208388597..c6e603f450 100644
--- a/.github/workflows/dependency-review.yml
+++ b/.github/workflows/dependency-review.yml
@@ -14,4 +14,4 @@ jobs:
       - name: 'Dependency Review'
         uses: actions/dependency-review-action@v4
         with:
-          comment-summary-in-pr: always
\ No newline at end of file
+          comment-summary-in-pr: on-failure