| name | dependabot |
| description | Fetch open Dependabot alerts for a GitHub repository, review them, and update vulnerable dependencies. |
| user-invocable | true |
| argument-hint | OWNER REPO |
| allowed-tools | Bash, Read, Write, Edit, Glob, Grep, AskUserQuestion |
Dependabot Alerts
Fetch open Dependabot security alerts for a GitHub repository and write them to alerts.txt in the current working directory.
Prerequisites
The gh CLI must be authenticated. The active account's token needs the security_events scope.
- Add an account:
gh auth login
- Add the required scope:
gh auth refresh -h github.com -s security_events
- Switch accounts:
gh auth switch
Account selection
Before running the script, check which gh accounts are available and which is active:
gh auth status
If there is more than one account, use AskUserQuestion to ask the user which account they want to use. List the available account usernames as options.
Once the user selects an account, switch to it:
gh auth switch -u SELECTED_ACCOUNT
After the skill finishes (whether it succeeds or fails), restore the original active account:
gh auth switch -u ORIGINAL_ACCOUNT
How to run
bash "${CLAUDE_SKILL_DIR}/dependabot.sh" OWNER REPO > alerts.txt
When invoked with /dependabot
If the user provides $ARGUMENTS (e.g., wjgilmore securitybot.dev), use them as OWNER and REPO:
bash "${CLAUDE_SKILL_DIR}/dependabot.sh" $ARGUMENTS > alerts.txt
If no arguments are provided, the script infers OWNER and REPO from the current git remote automatically:
bash "${CLAUDE_SKILL_DIR}/dependabot.sh" > alerts.txt
After fetching
- Read
alerts.txt to review the alerts.
- For each alert, determine the current installed version and whether a patched version is available.
- Update vulnerable dependencies using the appropriate package manager (
npm update, composer update, etc.).
- Verify the build and tests still pass after updating.
- Report a summary of what was fixed.
- Delete
alerts.txt — it is a temporary file and should not be committed.