Jeden Skill in Manus ausführen
mit einem Klick

Jeden Skill in Manus mit einem Klick ausführen

$pwd:

updating-security

Name: Updating Security
Author: SocketDev

// Resolve open GitHub Dependabot security alerts on a fleet repo. Fetches alerts via `gh api`, applies fixes (direct dep bump, pnpm override for transitives, or principled dismissal for unfixable), validates with `pnpm run check`, commits per-alert, and reports remaining advisories. Sibling of `updating-lockstep` under the `updating` umbrella.

In Manus ausführen

$ git log --oneline --stat

stars:3

forks:2

updated:23. Mai 2026 um 15:43

Datei-Explorer

2 Dateien

SKILL.md

readonly

name	updating-security
description	Resolve open GitHub Dependabot security alerts on a fleet repo. Fetches alerts via `gh api`, applies fixes (direct dep bump, pnpm override for transitives, or principled dismissal for unfixable), validates with `pnpm run check`, commits per-alert, and reports remaining advisories. Sibling of `updating-lockstep` under the `updating` umbrella.
user-invocable	true
allowed-tools	AskUserQuestion, Read, Edit, Grep, Glob, Bash(gh api:), Bash(gh auth:), Bash(pnpm:), Bash(git:), Bash(node:), Bash(jq:)

updating-security

Walk open Dependabot security alerts on the current repo and fix them via the cheapest principled mechanism. Invoked directly via /update-security or as Phase 5 of the updating umbrella.

When to use

A gh dependabot alerts listing shows open advisories.
The GitHub web UI security tab is non-empty after a push (gh warns "Dependabot found N vulnerabilities" on push completion).
As part of weekly maintenance (the updating umbrella invokes this automatically when alerts are present).

What it does NOT do

Disable alerts at the repo level. Suppressing the security tab via repo settings is a separate (heavier) decision; this skill resolves the underlying CVEs.
Touch dependabot.yml. The fleet ships a no-op dependabot.yml (open-pull-requests-limit: 0) so Dependabot doesn't open version-update PRs; security alerts are independent and surface regardless.
Auto-dismiss without evidence. Dismissals require a reason matching one of GitHub's documented values (fix_started / inaccurate / no_bandwidth / not_used / tolerable_risk) and a one-line justification. The skill asks before dismissing.

Phases

#	Phase	Outcome
1	Discover	`gh api repos/{owner}/{repo}/dependabot/alerts?state=open`. Group by package + relationship (direct / transitive).
2	Classify	Each alert → one of: `direct-fix` (bump `package.json`), `override-fix` (pnpm override for transitive), `dismiss-with-reason`.
3	Apply direct fixes	For each direct dep: `pnpm update <pkg>@<first-patched-version>` (or higher); commit per alert.
4	Apply override fixes	For each transitive: add `pnpm.overrides[<pkg>]` to `package.json` pinning the patched range; `pnpm install`; commit per row.
5	Validate	`pnpm run check --all` (interactive) or `pnpm run check --staged` (CI). Roll back any commit whose check fails.
6	Push	Per CLAUDE.md push policy — `git push origin <branch>`, fall back to PR on rejection. NEVER force-push.
7	Verify resolution	After push lands, `gh api .../dependabot/alerts` should show each fixed alert as `auto_dismissed` or `fixed`. Log remaining.
8	Report	Per-alert table: alert # / pkg / severity / action taken / state.

Hard requirements

Clean tree on entry — same rule as updating umbrella.
One commit per alert — chore(security): bump <pkg> to <ver> (GHSA-XXXX) or chore(security): override <pkg> ~> <ver> (GHSA-XXXX).
No --no-verify — the soak / cooldown guard (minimum-release-age-guard) MUST be honored. If a patched version is inside the 7-day soak, the skill notes the alert as awaiting-soak and returns without modification.
Conventional Commits — chore(security): <action> (per CLAUDE.md Commits & PRs).
Default-branch fallback — never hard-code main (per CLAUDE.md Default branch fallback).
GitHub auth — assumes gh auth status returns OK. Token must have security_events:read + repo scopes. Personal gh login satisfies both.

Success criteria

Every alert that has a first_patched_version is either fixed, awaiting-soak, or has an explicit dismissal request.
Working tree clean after the commit chain.
pnpm run check passes against the fix set.

Safety: every commit is atomic and the skill can be interrupted at any phase. Resume by re-running — already-applied fixes show up as auto_dismissed and are skipped.

Full bash, alert-shape reference, dismissal-reason taxonomy, and recovery procedures in reference.md.

related-skills.json

gleiches Repository

cascading-fleet.md

from "SocketDev/socket-packageurl-js"

Propagate a wheelhouse template change to every fleet repo (or a registry-pin chain to every dependent repo). Packages the canonical fleet-repo list, the FLEET_SYNC=1 sentinel pattern, the worktree-per-repo loop, push-direct + PR-fallback, and worktree-cleanup that survives mid-loop crashes. Use when a wheelhouse template SHA needs to land in every fleet repo, when a registry pin chain needs propagation, or when batching multiple template SHAs into one cascade wave.

2026-05-233

cleaning-redundant-ci.md

from "SocketDev/socket-packageurl-js"

Sweeps a fleet repo (or every fleet repo) for redundant CI surface — orphan workflow YAML files (lint.yml / check.yml / type.yml / test.yml that the unified ci.yml replaced), GitHub-Dependabot auto-fix PRs that the fleet handles via /updating-security, and stale workflow run history in the Actions sidebar. Deletes the YAML files, disables Dependabot automated-security-fixes via gh api, and reports anything that needs a manual UI toggle. Once-and-never-again sweep — meant to leave a repo clean.

2026-05-233

scanning-quality.md

from "SocketDev/socket-packageurl-js"

Scans the codebase for bugs, logic errors, cache races, workflow problems, insecure defaults, security regressions in the diff, and variant analysis on prior findings. Spawns specialized Task agents per scan type, deduplicates findings, and produces an A-F prioritized report. Use when preparing a release, investigating quality issues, running pre-merge checks, or whenever a recent diff touches security-sensitive code.

2026-05-233

updating-coverage.md

from "SocketDev/socket-packageurl-js"

Refresh the coverage badge in the root README by running the repo's coverage script and rewriting the `![Coverage](https://img.shields.io/badge/coverage-<PCT>%25-brightgreen)` line. Sibling of `updating-security` / `updating-lockstep` under the `updating` umbrella.

2026-05-233

updating.md

from "SocketDev/socket-packageurl-js"

Umbrella update skill for a Socket fleet repo. Runs `pnpm run update` (npm), validates `lockstep.json` via `pnpm run lockstep` (if present), optionally bumps submodules, checks workflow SHA pins, resolves open Dependabot security alerts, refreshes the README coverage badge when applicable, and audits GitHub repo + Actions settings drift via `scripts/lint-github-settings.mts`. Use when asked to update dependencies, sync upstreams, fix security advisories, refresh coverage, or prepare for a release.

2026-05-233

auditing-gha-settings.md

from "SocketDev/socket-packageurl-js"

Audits a repo's GitHub Actions permissions + allowlist against the fleet baseline. Reports drift only — fixes are manual in Settings → Actions because flipping these silently is unsafe. Use when a CI failure looks like "action X is not allowed to be used", when onboarding a new fleet repo, or as a periodic fleet-wide health check.

2026-05-213

package.json

"author": "SocketDev"

"repository": "SocketDev/socket-packageurl-js"

GitHub-Repository öffnen Creator-Repositorys ansehen

$ install --global

$ download --local

In Manus ausführen

name	updating-security
description	Resolve open GitHub Dependabot security alerts on a fleet repo. Fetches alerts via `gh api`, applies fixes (direct dep bump, pnpm override for transitives, or principled dismissal for unfixable), validates with `pnpm run check`, commits per-alert, and reports remaining advisories. Sibling of `updating-lockstep` under the `updating` umbrella.
user-invocable	true
allowed-tools	AskUserQuestion, Read, Edit, Grep, Glob, Bash(gh api:), Bash(gh auth:), Bash(pnpm:), Bash(git:), Bash(node:), Bash(jq:)

updating-security

Walk open Dependabot security alerts on the current repo and fix them via the cheapest principled mechanism. Invoked directly via /update-security or as Phase 5 of the updating umbrella.

When to use

A gh dependabot alerts listing shows open advisories.
The GitHub web UI security tab is non-empty after a push (gh warns "Dependabot found N vulnerabilities" on push completion).
As part of weekly maintenance (the updating umbrella invokes this automatically when alerts are present).

What it does NOT do

Disable alerts at the repo level. Suppressing the security tab via repo settings is a separate (heavier) decision; this skill resolves the underlying CVEs.
Touch dependabot.yml. The fleet ships a no-op dependabot.yml (open-pull-requests-limit: 0) so Dependabot doesn't open version-update PRs; security alerts are independent and surface regardless.
Auto-dismiss without evidence. Dismissals require a reason matching one of GitHub's documented values (fix_started / inaccurate / no_bandwidth / not_used / tolerable_risk) and a one-line justification. The skill asks before dismissing.

Phases

#	Phase	Outcome
1	Discover	`gh api repos/{owner}/{repo}/dependabot/alerts?state=open`. Group by package + relationship (direct / transitive).
2	Classify	Each alert → one of: `direct-fix` (bump `package.json`), `override-fix` (pnpm override for transitive), `dismiss-with-reason`.
3	Apply direct fixes	For each direct dep: `pnpm update <pkg>@<first-patched-version>` (or higher); commit per alert.
4	Apply override fixes	For each transitive: add `pnpm.overrides[<pkg>]` to `package.json` pinning the patched range; `pnpm install`; commit per row.
5	Validate	`pnpm run check --all` (interactive) or `pnpm run check --staged` (CI). Roll back any commit whose check fails.
6	Push	Per CLAUDE.md push policy — `git push origin <branch>`, fall back to PR on rejection. NEVER force-push.
7	Verify resolution	After push lands, `gh api .../dependabot/alerts` should show each fixed alert as `auto_dismissed` or `fixed`. Log remaining.
8	Report	Per-alert table: alert # / pkg / severity / action taken / state.

Hard requirements

Clean tree on entry — same rule as updating umbrella.
One commit per alert — chore(security): bump <pkg> to <ver> (GHSA-XXXX) or chore(security): override <pkg> ~> <ver> (GHSA-XXXX).
No --no-verify — the soak / cooldown guard (minimum-release-age-guard) MUST be honored. If a patched version is inside the 7-day soak, the skill notes the alert as awaiting-soak and returns without modification.
Conventional Commits — chore(security): <action> (per CLAUDE.md Commits & PRs).
Default-branch fallback — never hard-code main (per CLAUDE.md Default branch fallback).
GitHub auth — assumes gh auth status returns OK. Token must have security_events:read + repo scopes. Personal gh login satisfies both.

Success criteria

Every alert that has a first_patched_version is either fixed, awaiting-soak, or has an explicit dismissal request.
Working tree clean after the commit chain.
pnpm run check passes against the fix set.

Safety: every commit is atomic and the skill can be interrupted at any phase. Resume by re-running — already-applied fixes show up as auto_dismissed and are skipped.

Full bash, alert-shape reference, dismissal-reason taxonomy, and recovery procedures in reference.md.

updating-security

updating-security

When to use

What it does NOT do

Phases

Hard requirements

Success criteria

Mehr aus diesem Repository

updating-security

When to use

What it does NOT do

Phases

Hard requirements

Success criteria

Mehr aus diesem Repository