ワンクリックで
dependabot-alerts
Triage GitHub Dependabot security alerts into one-point GUS work items that bump the outermost consumer. User-invoked only.
Codex または Claude でインストール この Prompt をコピーして Codex、Claude、または他のアシスタントに貼り付けると、Skill ページを確認してインストールできます。
メニュー
Triage GitHub Dependabot security alerts into one-point GUS work items that bump the outermost consumer. User-invoked only.
Codex または Claude でインストール この Prompt をコピーして Codex、Claude、または他のアシスタントに貼り付けると、Skill ページを確認してインストールできます。
Enforces Effect-TS patterns for services, errors, layers, and atoms. Use when writing code with Effect.Service, Schema.TaggedError, Layer composition, or effect-atom React components.
Consume the salesforcedx-vscode-services extension API. Use when an extension depends on salesforcedx-vscode-services and you are registering commands, calling its services (Workspace, Connection, Project, Settings, FS, Channel, Media, prompts), watching files/config/target-org, or wiring the AllServicesLayer/runtime in extensionProvider.ts.
package.json conventions for this repo. Use when editing/reviewing a package.json — name, types, browser, files, dependencies, devDependencies, packaging, scripts, or vscode contributes.
Prefer vscode-uri over node:path. Use when .ts files in /src import node:path or use path.join/basename/dirname/resolve, URI.file, or memfs paths.
Add custom SVG icons to salesforcedx-vscode-services for font generation. Use when adding new icons to media/icons-src, creating SVG icons for VS Code extension, or defining font-based icons.
TypeScript coding standards — apply when writing, reviewing, or refactoring .ts/.tsx, or naming/renaming .ts files (camelCase casing).
| name | dependabot-alerts |
| description | Triage GitHub Dependabot security alerts into one-point GUS work items that bump the outermost consumer. User-invoked only. |
Triage open Dependabot security alerts into GUS work items. Output is work items only — no branches, bumps, or PRs. The auto-build-wi workflow claims each WI and does the build/PR.
User-invoked only. Never auto-fire.
npm overrides in package.json. Ever.gh api repos/forcedotcom/salesforcedx-vscode/dependabot/alerts --jq '[.[] | select(.state=="open")]'(Repo is a monorepo, workspaces packages/*. npm 11.)
Find who pulls the vulnerable package in, working outward to a package.json.
npm why <vuln-pkg> (or npm ls <vuln-pkg>) from repo root → every path to a direct dep declared in a package.json (root or a packages/*).Try in order; stop at the first that works:
package.json. A newer version of the consumer resolves <vuln-pkg> to a patched version (consumer already shipped the fix). Edit the version in whichever package.json declares it. Best — preferred.npm update <consumer>. Consumer's existing semver range already allows a patched <vuln-pkg>, but the lockfile is stale. No package.json change. Second best.Pick the lowest consumer version that resolves <vuln-pkg> to a patched version, never latest — fewer majors crossed, fewer breaking changes to vet.
If the chosen bump crosses a major version (e.g. ^1.x → ^3.0.0), spawn one subagent per crossing bump to vet it before drafting the WI. One bump may span several majors (1→3 = two changelogs); independent bumps vet in parallel.
Each subagent's task:
grep our code for the affected API/behavior and decide if it breaks us specifically.What the subagent looks for:
"type": "module"). Our .github/actions/* and most packages are CJS (tsc module: node16, require() output). An ESM-only dep can't be require()d from a CJS build — breaking migration, not a bump..github/actions/* run using: node20; extensions target their own engine).Act on the verdict:
^2.0.0, not ^3.0.0). Note the cap + reason in Details__c.Details__c so auto-build-wi plans for it.Before creating a WI for a bump, check for an existing Dependabot PR proposing the same bump (gh pr list --author 'app/dependabot' --state open):
| Dependabot PR state | Action |
|---|---|
| Green / mergeable | Skip — let Dependabot merge it. No WI. |
| CI failing | Close the Dependabot PR (gh pr close), then create the WI (manual AI loop is better than a broken Dependabot bump). |
| CI still running | Wait — don't create a WI, don't close. Re-check later. |
| None | Proceed to create the WI. |
One WI per consumer-bump, not per alert. If one alert needs three consumers bumped → three WIs → three PRs. Isolation: each PR's CI/regression runs against exactly one change, so a failure points at one bump.
Each WI:
[ai-auto] at the front of Subject__c (e.g. [ai-auto] bump <consumer> to <ver> for <GHSA> (<vuln-pkg>)).a3QEE0000023Fm92AE. If that epic is closed (Health__c in Completed/Canceled), use the most recent open trust epic instead — query team epics, match by Name.Details__c = the fix recipe so auto-build-wi can execute blind:
package.json, which consumer, target version (case 1) or npm update <consumer> (case 2).package-lock.json after the build.1 of N for <GHSA> (each PR stands alone; Dependabot closes the alert once all land).Follow gus-cli/SKILL.md for create mechanics (fields, confirmation, temp-Subject + flags-dir flow) and runner identity. Show the draft and wait for confirmation before any sf data create record.
Every open alert is one of: a created WI (with a lockfile-version verification line), skipped as unfixable, skipped as a green Dependabot PR, or waiting on a running Dependabot PR. Report the disposition of each.