Hi @andergmartins While testing this workflow on cart, https://github.com/publishpress/publishpress-cart/pull/191,

It's flagging a vulnerability in publishpress/dev-workspace package.

The reported advisory is not coming from plugin runtime code but a dev dependency chain in the lockfile

publishpress/dev-workspace
-> wp-cli/wp-cli-bundle
-> wp-cli/package-command
-> composer/composer 2.9.7

You can see the failure on the link shared above.

So there are two possible directions:

1. Keep the workflow auditing all dependencies, including dev tooling
   In this case, we need to make a fix in publishpress/dev-workspace, and then we refresh the Cart lockfile with a composer update.

2. Limit this workflow to production dependencies only
   In this case, I can change the shared workflow from:
   composer audit --locked
   to:
   composer audit --locked --no-dev

That would align the workflow with shipped dependency risk, and avoid failures caused only by CI/dev tooling packages.

Please confirm which policy we want for this workflow:

• audit all dependencies, including dev
• audit production dependencies only