// Find all open Dependabot alerts for this repo and create a plan to resolve them using the appropriate package manager overrides (pnpm, bun, npm, cargo).
Validate Rust work after substantial Rust code changes by running `just check`, `just clippy`, then `just format`. Use before the final response after a significant Rust implementation or cleanup task; batch edits first instead of running after every small change.
Inspect Rust changes for SQLx queries. Use after modifying Rust code that adds or changes SQLx queries to ensure compile-time SQLx macros are used, run `just prepare_db` for offline query cache, and review queries for performance and security issues.
Upgrade an AI chat model (fast or good) across backend and frontend.
Create SQLx migration files with `sqlx migrate add <name>`. Use when asked to add, create, or generate a sqlx/sqlx-cli database migration.
Build a new AI tool end-to-end — Rust implementation, toolset wiring, infra, schema generation, and frontend UI.
Dump clean Postgres schema to a file and copy path to clipboard.
| name | dependabot |
| description | Find all open Dependabot alerts for this repo and create a plan to resolve them using the appropriate package manager overrides (pnpm, bun, npm, cargo). |
| allowed-tools | Bash, Read, Edit, Glob, Grep, Agent |
REPO=$(gh repo view --json nameWithOwner -q .nameWithOwner)
gh api "repos/${REPO}/dependabot/alerts" \
--jq '.[] | select(.state == "open") | {
number,
dependency: .dependency.package.name,
ecosystem: .dependency.package.ecosystem,
manifest: .dependency.manifest_path,
vulnerable_range: .security_vulnerability.vulnerable_version_range,
patched_version: .security_vulnerability.first_patched_version.identifier,
severity: .security_vulnerability.severity,
summary: .security_advisory.summary
}'
Group the alerts by their manifest field (e.g. js/app/bun.lock, rust/cloud-storage/Cargo.lock, js/app/packages/loro-mirror/pnpm-lock.yaml). This determines which override mechanism to use.
For each manifest/lockfile, determine the correct override mechanism:
| Lockfile | Override mechanism |
|---|---|
bun.lock / bun.lockb | "overrides" in the nearest package.json |
pnpm-lock.yaml | "pnpm": { "overrides": { ... } } in the workspace root package.json |
package-lock.json | "overrides" in the nearest package.json |
yarn.lock | "resolutions" in the nearest package.json |
Cargo.lock | cargo update -p <package> or workspace [patch.crates-io] in Cargo.toml |
Read each target package.json or Cargo.toml to check for existing overrides before adding new ones.
Present a table of all alerts grouped by manifest, showing:
Ask the user to confirm before making changes.
For each group:
package.jsonbun install / pnpm install / npm install<pm> ls for the patched versioncargo update -p <package> firstcargo update -p <parent-package> (the package that depends on the vulnerable one, found via cargo tree -i <package>)cargo tree -i <package> and checking Cargo.lockAfter all changes, confirm patched versions are in place and no new audit issues were introduced.
undici-types triggering undici alerts). Flag these to the user.>=6.14.0 not ^8.0.0) to reduce breakage risk.cargo update only bumps to a version below the patch, escalate the parent dependency.