deno run audit task missing --allow-env flag
Opened by stack72 · 4/8/2026· Shipped 4/8/2026
Summary
The audit task in deno.json fails at the end of a successful scan because
scripts/audit_deps.ts reads the GITHUB_STEP_SUMMARY env var but the task
doesn't grant --allow-env.
Reproduction
$ deno run audit
Task audit deno run --allow-read --allow-net=api.osv.dev scripts/audit_deps.ts && deno outdated
Found 984 npm packages in evals/promptfoo/package-lock.json
Scanning 1056 npm packages for vulnerabilities…
error: Uncaught (in promise) NotCapable: Requires env access to "GITHUB_STEP_SUMMARY", run again with the --allow-env flag
const summaryFile = Deno.env.get("GITHUB_STEP_SUMMARY");
^
at Object.getEnv [as get] (ext:deno_os/30_os.js:124:10)
at writeGitHubSummary (file:///.../scripts/audit_deps.ts:245:32)
at main (file:///.../scripts/audit_deps.ts:403:9)The scan completes successfully — the crash is in writeGitHubSummary at the
end. This means the task exit code is non-zero even when there are no
vulnerabilities, which will break any local or CI consumer that checks the
exit code.
Root Cause
scripts/audit_deps.ts:245 calls Deno.env.get("GITHUB_STEP_SUMMARY") but
the audit task in deno.json is defined as:
deno run --allow-read --allow-net=api.osv.dev scripts/audit_deps.tsNo --allow-env is granted.
Proposed Fix
Add --allow-env=GITHUB_STEP_SUMMARY (scoped) or --allow-env (broad) to
the audit task in deno.json. Scoped is preferable for least-privilege.
Environment
- Discovered while verifying PR #1141 (hono dependency bump). The scan output itself was correct — "No known vulnerabilities found" — but the task exited non-zero.
- swamp git sha: 06888df
Workaround
Run the script directly with explicit flags:
deno run --allow-read --allow-net=api.osv.dev --allow-env scripts/audit_deps.ts
Shipped
Click a lifecycle step above to view its details.
Sign in to post a ripple.