diff --git a/.circleci/config.yml b/.circleci/config.yml
index 59fe8db6ce..551dcde251 100644
--- a/.circleci/config.yml
+++ b/.circleci/config.yml
@@ -5,17 +5,33 @@ commands:
       port:
         type: integer
     steps:
-      - run: sleep 5
       - run:
           shell: /bin/sh
           command: |
-            wget --retry-connrefused --waitretry=1 --read-timeout=120 --timeout=120 -t 100 http://localhost:<<parameters.port>>
+            wget --retry-connrefused --waitretry=1 --read-timeout=120 --timeout=120 -t 300 http://localhost:<<parameters.port>>
             :
 jobs:
+  job-audit:
+    working_directory: ~/repo
+    docker:
+      - image: synthetixio/docker-sec-tools:14.17-ubuntu
+        auth:
+          username: $DOCKERHUB_USERNAME
+          password: $DOCKERHUB_TOKEN
+    steps:
+      - checkout
+      - run:
+          name: Audit dependencies
+          command: |
+            npm audit --audit-level=critical
+      - run:
+          name: Lint lockfile
+          command: |
+            lockfile-lint -p package-lock.json --type npm --allowed-hosts npm github.com --allowed-schemes "https:" "git+ssh:"
   job-compile:
     working_directory: ~/repo
     docker:
-      - image: synthetixio/docker-node:14.16-focal
+      - image: synthetixio/docker-node:14.17-ubuntu
         auth:
           username: $DOCKERHUB_USERNAME
           password: $DOCKERHUB_TOKEN
@@ -29,7 +45,7 @@ jobs:
   job-fork-tests:
     working_directory: ~/repo
     docker:
-      - image: synthetixio/docker-node:14.16-focal
+      - image: synthetixio/docker-node:14.17-ubuntu
         auth:
           username: $DOCKERHUB_USERNAME
           password: $DOCKERHUB_TOKEN
@@ -54,7 +70,7 @@ jobs:
   job-integration-tests:
     working_directory: ~/repo
     machine:
-      image: ubuntu-2004:202104-01
+      image: ubuntu-2004:202107-02
       docker_layer_caching: true
     resource_class: large
     steps:
@@ -99,7 +115,7 @@ jobs:
   job-lint:
     working_directory: ~/repo
     docker:
-      - image: synthetixio/docker-node:14.16-focal
+      - image: synthetixio/docker-node:14.17-ubuntu
         auth:
           username: $DOCKERHUB_USERNAME
           password: $DOCKERHUB_TOKEN
@@ -111,7 +127,7 @@ jobs:
   job-pack-browser:
     working_directory: ~/repo
     docker:
-      - image: synthetixio/docker-node:14.16-focal
+      - image: synthetixio/docker-node:14.17-ubuntu
         auth:
           username: $DOCKERHUB_USERNAME
           password: $DOCKERHUB_TOKEN
@@ -125,28 +141,37 @@ jobs:
   job-prepare:
     working_directory: ~/repo
     docker:
-      - image: synthetixio/docker-node:14.16-focal
+      - image: synthetixio/docker-node:14.17-ubuntu
         auth:
           username: $DOCKERHUB_USERNAME
           password: $DOCKERHUB_TOKEN
     steps:
       - checkout
+      - attach_workspace:
+          at: .
       - restore_cache:
           keys:
             - v4-dependencies-{{ checksum "package-lock.json" }}
-      - run: npm install
+      - run:
+          name: Set custom npm cache directory
+          command: npm config set cache .npm-cache --global
+      - run:
+          name: Install dependencies
+          command: npm install --prefer-offline --no-audit
       - save_cache:
           key: v4-dependencies-{{ checksum "package-lock.json" }}
           paths:
             - node_modules
+            - .npm-cache
       - persist_to_workspace:
           root: .
           paths:
             - node_modules
+            - .npm-cache
   job-simulate-release:
     working_directory: ~/repo
     docker:
-      - image: synthetixio/docker-node:14.16-focal
+      - image: synthetixio/docker-node:14.17-ubuntu
         auth:
           username: $DOCKERHUB_USERNAME
           password: $DOCKERHUB_TOKEN
@@ -169,7 +194,7 @@ jobs:
   job-static-analysis:
     working_directory: ~/repo
     docker:
-      - image: synthetixio/docker-node:14.16-focal
+      - image: synthetixio/docker-node:14.17-ubuntu
         auth:
           username: $DOCKERHUB_USERNAME
           password: $DOCKERHUB_TOKEN
@@ -186,7 +211,7 @@ jobs:
   job-test-deploy-script:
     working_directory: ~/repo
     docker:
-      - image: synthetixio/docker-node:14.16-focal
+      - image: synthetixio/docker-node:14.17-ubuntu
         auth:
           username: $DOCKERHUB_USERNAME
           password: $DOCKERHUB_TOKEN
@@ -212,7 +237,7 @@ jobs:
   job-unit-tests-coverage-report:
     working_directory: ~/repo
     docker:
-      - image: synthetixio/docker-node:14.16-focal
+      - image: synthetixio/docker-sec-tools:14.17-ubuntu
         auth:
           username: $DOCKERHUB_USERNAME
           password: $DOCKERHUB_TOKEN
@@ -224,11 +249,11 @@ jobs:
           name: Upload coverage
           command: |
             cp -R /tmp/coverage/coverage-*.json .
-            bash <(curl -s https://codecov.io/bash)
+            codecov -t $CODECOV_TOKEN
   job-unit-tests-coverage:
     working_directory: ~/repo
     docker:
-      - image: synthetixio/docker-node:14.16-focal
+      - image: synthetixio/docker-node:14.17-ubuntu
         auth:
           username: $DOCKERHUB_USERNAME
           password: $DOCKERHUB_TOKEN
@@ -258,7 +283,7 @@ jobs:
   job-unit-tests-gas-report:
     working_directory: ~/repo
     docker:
-      - image: synthetixio/docker-node:14.16-focal
+      - image: synthetixio/docker-node:14.17-ubuntu
         auth:
           username: $DOCKERHUB_USERNAME
           password: $DOCKERHUB_TOKEN
@@ -270,13 +295,16 @@ jobs:
           name: Upload gas reports
           command: |
             npx hardhat test:merge-gas-reports gasReporterOutput-*.json
+            if [ "${CIRCLE_BRANCH}" != "master" ]; then
+              git branch -f master origin/master
+            fi
             npx codechecks codechecks.unit.yml
       - store_artifacts:
           path: gasReporterOutput.json
   job-unit-tests:
     working_directory: ~/repo
     docker:
-      - image: synthetixio/docker-node:14.16-focal
+      - image: synthetixio/docker-node:14.17-ubuntu
         auth:
           username: $DOCKERHUB_USERNAME
           password: $DOCKERHUB_TOKEN
@@ -308,7 +336,7 @@ jobs:
   job-validate-deployments:
     working_directory: ~/repo
     docker:
-      - image: synthetixio/docker-node:14.16-focal
+      - image: synthetixio/docker-node:14.17-ubuntu
         auth:
           username: $DOCKERHUB_USERNAME
           password: $DOCKERHUB_TOKEN
@@ -327,7 +355,7 @@ jobs:
   job-validate-etherscan:
     working_directory: ~/repo
     docker:
-      - image: synthetixio/docker-node:14.16-focal
+      - image: synthetixio/docker-node:14.17-ubuntu
         auth:
           username: $DOCKERHUB_USERNAME
           password: $DOCKERHUB_TOKEN
@@ -342,7 +370,10 @@ jobs:
 workflows:
   workflow-all:
     jobs:
-      - job-prepare
+      - job-audit
+      - job-prepare:
+          requires:
+            - job-audit
       - job-lint:
           requires:
             - job-prepare
diff --git a/.circleci/src/commands/cmd-wait-for-port.yml b/.circleci/src/commands/cmd-wait-for-port.yml
index 4a21463605..b5e90219bc 100644
--- a/.circleci/src/commands/cmd-wait-for-port.yml
+++ b/.circleci/src/commands/cmd-wait-for-port.yml
@@ -3,9 +3,8 @@ parameters:
   port:
     type: integer
 steps:
-  - run: sleep 5
   - run:
       shell: /bin/sh
       command: |
-        wget --retry-connrefused --waitretry=1 --read-timeout=120 --timeout=120 -t 100 http://localhost:<<parameters.port>>
+        wget --retry-connrefused --waitretry=1 --read-timeout=120 --timeout=120 -t 300 http://localhost:<<parameters.port>>
         :
diff --git a/.circleci/src/jobs/job-audit.yml b/.circleci/src/jobs/job-audit.yml
new file mode 100644
index 0000000000..61d2f17331
--- /dev/null
+++ b/.circleci/src/jobs/job-audit.yml
@@ -0,0 +1,12 @@
+# Bootstraps dependencies
+{{> job-header-sec-tools.yml}}
+steps:
+  - checkout
+  - run:
+      name: Audit dependencies
+      command: |
+        npm audit --audit-level=critical
+  - run:
+      name: Lint lockfile
+      command: |
+        lockfile-lint -p package-lock.json --type npm --allowed-hosts npm github.com --allowed-schemes "https:" "git+ssh:"
diff --git a/.circleci/src/jobs/job-compile.yml b/.circleci/src/jobs/job-compile.yml
index 6b6088baf2..43e6b4f091 100644
--- a/.circleci/src/jobs/job-compile.yml
+++ b/.circleci/src/jobs/job-compile.yml
@@ -1,5 +1,5 @@
 # Compiles all contracts and fails with oversized contracts
-{{> job-header.yml}}
+{{> job-header-node.yml}}
 steps:
   - checkout
   - attach_workspace:
diff --git a/.circleci/src/jobs/job-fork-tests.yml b/.circleci/src/jobs/job-fork-tests.yml
index 8d20c3b595..518edec476 100644
--- a/.circleci/src/jobs/job-fork-tests.yml
+++ b/.circleci/src/jobs/job-fork-tests.yml
@@ -1,5 +1,5 @@
 # Starts a fork of mainnet, deploys the latest release, and runs L1 integration tests
-{{> job-header.yml}}
+{{> job-header-node.yml}}
 steps:
   - checkout
   - attach_workspace:
diff --git a/.circleci/src/jobs/job-lint.yml b/.circleci/src/jobs/job-lint.yml
index bdc2b038a4..ec3e0982ef 100644
--- a/.circleci/src/jobs/job-lint.yml
+++ b/.circleci/src/jobs/job-lint.yml
@@ -1,5 +1,5 @@
 # Runs all linters
-{{> job-header.yml}}
+{{> job-header-node.yml}}
 steps:
   - checkout
   - attach_workspace:
diff --git a/.circleci/src/jobs/job-pack-browser.yml b/.circleci/src/jobs/job-pack-browser.yml
index 88255f6ce2..a3cae17c61 100644
--- a/.circleci/src/jobs/job-pack-browser.yml
+++ b/.circleci/src/jobs/job-pack-browser.yml
@@ -1,5 +1,5 @@
 # Packs js code for browser usage
-{{> job-header.yml}}
+{{> job-header-node.yml}}
 steps:
   - checkout
   - attach_workspace:
diff --git a/.circleci/src/jobs/job-prepare.yml b/.circleci/src/jobs/job-prepare.yml
index 315bc9fcf4..81010c7629 100644
--- a/.circleci/src/jobs/job-prepare.yml
+++ b/.circleci/src/jobs/job-prepare.yml
@@ -1,18 +1,27 @@
 # Bootstraps dependencies
-{{> job-header.yml}}
+{{> job-header-node.yml}}
 # set custom delimiter to avoid checksum parsing
 {{=<% %>=}}
 steps:
   - checkout
+  - attach_workspace:
+      at: .
   - restore_cache:
       keys:
         - v4-dependencies-{{ checksum "package-lock.json" }}
-  - run: npm install
+  - run:
+      name: Set custom npm cache directory
+      command: npm config set cache .npm-cache --global
+  - run:
+      name: Install dependencies
+      command: npm install --prefer-offline --no-audit
   - save_cache:
       key: v4-dependencies-{{ checksum "package-lock.json" }}
       paths:
         - node_modules
+        - .npm-cache
   - persist_to_workspace:
       root: .
       paths:
         - node_modules
+        - .npm-cache
diff --git a/.circleci/src/jobs/job-simulate-release.yml b/.circleci/src/jobs/job-simulate-release.yml
index dfa5d7fe59..130c284576 100644
--- a/.circleci/src/jobs/job-simulate-release.yml
+++ b/.circleci/src/jobs/job-simulate-release.yml
@@ -1,5 +1,5 @@
 # Starts a fork of mainnet, deploys the latest release, and runs L1 integration tests
-{{> job-header.yml}}
+{{> job-header-node.yml}}
 steps:
   - checkout
   - attach_workspace:
diff --git a/.circleci/src/jobs/job-static-analysis.yml b/.circleci/src/jobs/job-static-analysis.yml
index ed72c6b2f2..b9d206726e 100644
--- a/.circleci/src/jobs/job-static-analysis.yml
+++ b/.circleci/src/jobs/job-static-analysis.yml
@@ -1,5 +1,5 @@
 # Runs all static analysis checks
-{{> job-header.yml}}
+{{> job-header-node.yml}}
 steps:
   - checkout
   - attach_workspace:
diff --git a/.circleci/src/jobs/job-test-deploy-script.yml b/.circleci/src/jobs/job-test-deploy-script.yml
index 301da8324e..960609b3e2 100644
--- a/.circleci/src/jobs/job-test-deploy-script.yml
+++ b/.circleci/src/jobs/job-test-deploy-script.yml
@@ -1,5 +1,5 @@
 # Validates that the deploy command is working as expected
-{{> job-header.yml}}
+{{> job-header-node.yml}}
 resource_class: large
 steps:
   - checkout
diff --git a/.circleci/src/jobs/job-unit-tests-coverage-report.yml b/.circleci/src/jobs/job-unit-tests-coverage-report.yml
index 73b718ed09..ad47a7e8c2 100644
--- a/.circleci/src/jobs/job-unit-tests-coverage-report.yml
+++ b/.circleci/src/jobs/job-unit-tests-coverage-report.yml
@@ -1,5 +1,5 @@
 # Measures unit and spec test coverage
-{{> job-header.yml}}
+{{> job-header-sec-tools.yml}}
 steps:
   - checkout
   - attach_workspace:
@@ -8,4 +8,4 @@ steps:
       name: Upload coverage
       command: |
         cp -R /tmp/coverage/coverage-*.json .
-        bash <(curl -s https://codecov.io/bash)
+        codecov -t $CODECOV_TOKEN
diff --git a/.circleci/src/jobs/job-unit-tests-coverage.yml b/.circleci/src/jobs/job-unit-tests-coverage.yml
index 409d4b55f3..63cc766ad1 100644
--- a/.circleci/src/jobs/job-unit-tests-coverage.yml
+++ b/.circleci/src/jobs/job-unit-tests-coverage.yml
@@ -1,5 +1,5 @@
 # Measures unit and spec test coverage
-{{> job-header.yml}}
+{{> job-header-node.yml}}
 resource_class: large
 parallelism: 8
 steps:
diff --git a/.circleci/src/jobs/job-unit-tests-gas-report.yml b/.circleci/src/jobs/job-unit-tests-gas-report.yml
index 88e28de7fa..2b32bcdafd 100644
--- a/.circleci/src/jobs/job-unit-tests-gas-report.yml
+++ b/.circleci/src/jobs/job-unit-tests-gas-report.yml
@@ -1,5 +1,5 @@
 # Measures deployment and transaction gas usage in unit tests
-{{> job-header.yml}}
+{{> job-header-node.yml}}
 steps:
   - checkout
   - attach_workspace:
@@ -8,6 +8,10 @@ steps:
       name: Upload gas reports
       command: |
         npx hardhat test:merge-gas-reports gasReporterOutput-*.json
+        # required for codechecks
+        if [ "${CIRCLE_BRANCH}" != "master" ]; then
+          git branch -f master origin/master
+        fi
         npx codechecks codechecks.unit.yml
   - store_artifacts:
       path: gasReporterOutput.json
diff --git a/.circleci/src/jobs/job-unit-tests.yml b/.circleci/src/jobs/job-unit-tests.yml
index 661351f23d..4aa4bb18df 100644
--- a/.circleci/src/jobs/job-unit-tests.yml
+++ b/.circleci/src/jobs/job-unit-tests.yml
@@ -1,5 +1,5 @@
 # Runs all unit and spec tests
-{{> job-header.yml}}
+{{> job-header-node.yml}}
 resource_class: large
 parallelism: 8
 steps:
diff --git a/.circleci/src/jobs/job-validate-deployments.yml b/.circleci/src/jobs/job-validate-deployments.yml
index f50c3667e0..c9809e3243 100644
--- a/.circleci/src/jobs/job-validate-deployments.yml
+++ b/.circleci/src/jobs/job-validate-deployments.yml
@@ -1,5 +1,5 @@
 # Validates deployment json data against on-chain data
-{{> job-header.yml}}
+{{> job-header-node.yml}}
 steps:
   - checkout
   - attach_workspace:
diff --git a/.circleci/src/jobs/job-validate-etherscan.yml b/.circleci/src/jobs/job-validate-etherscan.yml
index 0a32423f13..54c08cd008 100644
--- a/.circleci/src/jobs/job-validate-etherscan.yml
+++ b/.circleci/src/jobs/job-validate-etherscan.yml
@@ -1,5 +1,5 @@
 # Validates that sources have been verified in etherscan
-{{> job-header.yml}}
+{{> job-header-node.yml}}
 parameters:
   network:
     type: string
diff --git a/.circleci/src/snippets/job-header-machine.yml b/.circleci/src/snippets/job-header-machine.yml
index 3324e59b9b..7379e5e4de 100644
--- a/.circleci/src/snippets/job-header-machine.yml
+++ b/.circleci/src/snippets/job-header-machine.yml
@@ -1,4 +1,4 @@
 working_directory: ~/repo
 machine:
-  image: ubuntu-2004:202104-01
+  image: ubuntu-2004:202107-02
   docker_layer_caching: true
diff --git a/.circleci/src/snippets/job-header.yml b/.circleci/src/snippets/job-header-node.yml
similarity index 70%
rename from .circleci/src/snippets/job-header.yml
rename to .circleci/src/snippets/job-header-node.yml
index f6501ee49a..702dff673e 100644
--- a/.circleci/src/snippets/job-header.yml
+++ b/.circleci/src/snippets/job-header-node.yml
@@ -1,6 +1,6 @@
 working_directory: ~/repo
 docker:
-  - image: synthetixio/docker-node:14.16-focal
+  - image: synthetixio/docker-node:14.17-ubuntu
     auth:
       username: $DOCKERHUB_USERNAME
       password: $DOCKERHUB_TOKEN
diff --git a/.circleci/src/snippets/job-header-sec-tools.yml b/.circleci/src/snippets/job-header-sec-tools.yml
new file mode 100644
index 0000000000..d95981077f
--- /dev/null
+++ b/.circleci/src/snippets/job-header-sec-tools.yml
@@ -0,0 +1,6 @@
+working_directory: ~/repo
+docker:
+  - image: synthetixio/docker-sec-tools:14.17-ubuntu
+    auth:
+      username: $DOCKERHUB_USERNAME
+      password: $DOCKERHUB_TOKEN
diff --git a/.circleci/src/snippets/require-audit.yml b/.circleci/src/snippets/require-audit.yml
new file mode 100644
index 0000000000..28c7d02cd5
--- /dev/null
+++ b/.circleci/src/snippets/require-audit.yml
@@ -0,0 +1,2 @@
+requires:
+  - job-audit
diff --git a/.circleci/src/workflows/workflow-all.yml b/.circleci/src/workflows/workflow-all.yml
index 9fe2cd3d31..952ea16c09 100644
--- a/.circleci/src/workflows/workflow-all.yml
+++ b/.circleci/src/workflows/workflow-all.yml
@@ -2,7 +2,9 @@ jobs:
   # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
   # Basic
   # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-  - job-prepare
+  - job-audit
+  - job-prepare:
+      {{> require-audit.yml}}
   - job-lint:
       {{> require-prepare.yml}}
   - job-compile:
diff --git a/.npmrc b/.npmrc
new file mode 100644
index 0000000000..cffe8cdef1
--- /dev/null
+++ b/.npmrc
@@ -0,0 +1 @@
+save-exact=true
diff --git a/codecov.yml b/codecov.yml
new file mode 100644
index 0000000000..06ed2badc5
--- /dev/null
+++ b/codecov.yml
@@ -0,0 +1,2 @@
+codecov:
+  require_ci_to_pass: false
diff --git a/package-lock.json b/package-lock.json
index 5b9ac8a52b..dfe89d8196 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -5,6 +5,7 @@
 	"requires": true,
 	"packages": {
 		"": {
+			"name": "synthetix",
 			"version": "2.49.0",
 			"license": "MIT",
 			"dependencies": {
@@ -22,7 +23,7 @@
 			},
 			"devDependencies": {
 				"@chainlink/contracts-0.0.10": "npm:@chainlink/contracts@0.0.10",
-				"@codechecks/client": "0.1.10",
+				"@codechecks/client": "0.1.11",
 				"@eth-optimism/contracts": "0.3.4",
 				"@eth-optimism/core-utils": "~0.4.5",
 				"@eth-optimism/hardhat-ovm": "0.2.2",
@@ -208,9 +209,9 @@
 			"optional": true
 		},
 		"node_modules/@codechecks/client": {
-			"version": "0.1.10",
-			"resolved": "https://registry.npmjs.org/@codechecks/client/-/client-0.1.10.tgz",
-			"integrity": "sha512-rvX+LknmMohsLTU8mHJqIcNTo8fKfw6A5i7JvT6JJWqwCLi+TujHpRO8BLf48iF96+gU5viVvKfRaUyhc3wloA==",
+			"version": "0.1.11",
+			"resolved": "https://registry.npmjs.org/@codechecks/client/-/client-0.1.11.tgz",
+			"integrity": "sha512-dSIzHnGNcXxDZtnVQEXWQHXH2v9KrpnK4mDGDxdwSu3l00rOIVwJcttj0wzx0bC0Q6gs65VsQdZH4gkanLdXOA==",
 			"dev": true,
 			"dependencies": {
 				"bluebird": "^3.5.3",
@@ -28515,9 +28516,9 @@
 			}
 		},
 		"@codechecks/client": {
-			"version": "0.1.10",
-			"resolved": "https://registry.npmjs.org/@codechecks/client/-/client-0.1.10.tgz",
-			"integrity": "sha512-rvX+LknmMohsLTU8mHJqIcNTo8fKfw6A5i7JvT6JJWqwCLi+TujHpRO8BLf48iF96+gU5viVvKfRaUyhc3wloA==",
+			"version": "0.1.11",
+			"resolved": "https://registry.npmjs.org/@codechecks/client/-/client-0.1.11.tgz",
+			"integrity": "sha512-dSIzHnGNcXxDZtnVQEXWQHXH2v9KrpnK4mDGDxdwSu3l00rOIVwJcttj0wzx0bC0Q6gs65VsQdZH4gkanLdXOA==",
 			"dev": true,
 			"requires": {
 				"bluebird": "^3.5.3",
diff --git a/package.json b/package.json
index fb01f38a4c..9cfd45c740 100644
--- a/package.json
+++ b/package.json
@@ -72,7 +72,7 @@
 	},
 	"devDependencies": {
 		"@chainlink/contracts-0.0.10": "npm:@chainlink/contracts@0.0.10",
-		"@codechecks/client": "0.1.10",
+		"@codechecks/client": "0.1.11",
 		"@eth-optimism/contracts": "0.3.4",
 		"@eth-optimism/core-utils": "~0.4.5",
 		"@eth-optimism/hardhat-ovm": "0.2.2",