fix audit running on pull requests not touching dependencies

[rochdev]

What does this PR do?

Fix audit running on pull requests not touching dependencies.

Motivation

Otherwise, whenever a new vulnerability is detected, all PRs become blocked until we fix the vulnerability. With this change, only PRs that are touching the package.json will be affected.

[github-actions]

Overall package size

Self size: 9.64 MB
Deduped: 104.59 MB
No deduping: 105.11 MB

Dependency sizes

| name | version | self size | total size | |------|---------|-----------|------------| | @datadog/libdatadog | 0.6.0 | 30.47 MB | 30.47 MB | | @datadog/native-appsec | 8.5.2 | 19.33 MB | 19.34 MB | | @datadog/pprof | 5.8.0 | 12.55 MB | 12.92 MB | | @datadog/native-iast-taint-tracking | 4.0.0 | 11.72 MB | 11.73 MB | | @opentelemetry/core | 1.30.1 | 908.66 kB | 7.16 MB | | protobufjs | 7.5.3 | 2.95 MB | 5.6 MB | | @datadog/wasm-js-rewriter | 4.0.1 | 2.85 MB | 3.58 MB | | @datadog/native-metrics | 3.1.1 | 1.02 MB | 1.43 MB | | @opentelemetry/api | 1.8.0 | 1.21 MB | 1.21 MB | | import-in-the-middle | 1.14.0 | 120.58 kB | 841.68 kB | | source-map | 0.7.4 | 226 kB | 226 kB | | opentracing | 0.14.7 | 194.81 kB | 194.81 kB | | lru-cache | 7.18.3 | 133.92 kB | 133.92 kB | | pprof-format | 2.1.0 | 111.69 kB | 111.69 kB | | @datadog/sketches-js | 2.1.1 | 109.9 kB | 109.9 kB | | lodash.sortby | 4.7.0 | 75.76 kB | 75.76 kB | | ignore | 5.3.2 | 53.63 kB | 53.63 kB | | istanbul-lib-coverage | 3.2.2 | 34.37 kB | 34.37 kB | | rfdc | 1.4.1 | 27.15 kB | 27.15 kB | | @isaacs/ttlcache | 1.4.1 | 25.2 kB | 25.2 kB | | dc-polyfill | 0.1.9 | 25.11 kB | 25.11 kB | | tlhunter-sorted-set | 0.1.0 | 24.94 kB | 24.94 kB | | shell-quote | 1.8.2 | 23.54 kB | 23.54 kB | | limiter | 1.1.5 | 23.17 kB | 23.17 kB | | retry | 0.13.1 | 18.85 kB | 18.85 kB | | semifies | 1.0.0 | 15.84 kB | 15.84 kB | | jest-docblock | 29.7.0 | 8.99 kB | 12.76 kB | | crypto-randomuuid | 1.0.0 | 11.18 kB | 11.18 kB | | ttl-set | 1.0.0 | 4.61 kB | 9.69 kB | | mutexify | 1.4.0 | 5.71 kB | 8.74 kB | | path-to-regexp | 0.1.12 | 6.6 kB | 6.6 kB | | koalas | 1.0.2 | 6.47 kB | 6.47 kB | | module-details-from-path | 1.0.4 | 3.96 kB | 3.96 kB |

_{🤖 This report was automatically generated by heaviest-objects-in-the-universe}

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 80.75%. Comparing base (ed2469e) to head (3010af2).
Report is 4 commits behind head on master.

Additional details and impacted files

@@           Coverage Diff           @@
##           master    #5879   +/-   ##
=======================================
  Coverage   80.75%   80.75%           
=======================================
  Files         464      464           
  Lines       19910    19910           
=======================================
  Hits        16079    16079           
  Misses       3831     3831           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[pr-commenter]

Benchmarks

Benchmark execution time: 2025-06-11 18:22:17

Comparing candidate commit 3010af2 in PR branch ci-audit-only-pkg-json with baseline commit ed2469e in branch master.

Found 0 performance improvements and 0 performance regressions! Performance is the same for 1278 metrics, 45 unstable metrics.

[datadog-datadog-prod-us1]

Datadog Report

Branch report: ci-audit-only-pkg-json
Commit report: 06f5fe7
Test service: dd-trace-js-integration-tests

✅ 0 Failed, 1254 Passed, 0 Skipped, 20m 54.39s Total Time

[watson]

We should probably add yarn.lock as well

[watson]

Or maybe just the lock file 🤔

[rochdev]

The lockfile is only used for local development, not when installing the library.

[watson]

I know, but this is about looking for a signal of when the dependencies change, so we know to run the audit. And in development, we always update the lock file in a PR if we bump or add a dependency. You can even update the lock file without updating package.json - something we also want to catch, so the correct line here would be:

Suggested change

	- package.json
	- yarn.lock

[rochdev]

At that point, shouldn't we just use the lockfile? As you said we always update it when changing dependencies, and it would also allow changes to package.json that are unrelated to dependencies to not trigger the audit.

[rochdev]

I just realized that the suggested change is exactly that.

[watson]

Should we remove the --groups flag?

[rochdev]

I don't know, I just kept what was already there, and the change to pick only dependencies seemed to be popular when it was discussed this morning.

[rochdev]

Actually I would say let's decide that outside the scope of this PR as it preserves the current behaviour.

[watson]

I added the --groups dependencies just earlier today to get around the issue that blocked all PRs from being merged. It has not been there before

[watson]

But feel free to leave it - just wanted to make sure you had the context