원클릭으로
dependabot-fix
Check GitHub Dependabot alerts for the current repo and fix the highest-priority vulnerability.
Codex 또는 Claude로 설치 이 Prompt를 복사해 Codex, Claude 또는 다른 어시스턴트에 붙여 넣으면 Skill 페이지를 검토하고 설치를 진행할 수 있습니다.
메뉴
Check GitHub Dependabot alerts for the current repo and fix the highest-priority vulnerability.
Codex 또는 Claude로 설치 이 Prompt를 복사해 Codex, Claude 또는 다른 어시스턴트에 붙여 넣으면 Skill 페이지를 검토하고 설치를 진행할 수 있습니다.
SOC 직업 분류 기준
| name | dependabot-fix |
| description | Check GitHub Dependabot alerts for the current repo and fix the highest-priority vulnerability. |
Fix the highest-priority open Dependabot vulnerability in the current repository.
Run the helper script to retrieve all open Dependabot alerts:
bash "${CLAUDE_PLUGIN_ROOT}/scripts/dependabot-alerts.sh"
If the script reports no open alerts, tell the user there are no open Dependabot alerts and stop.
If the script fails, report the error and stop.
Parse the JSONL output. Each line is a JSON object with these fields:
number — alert numberpackage — vulnerable package nameecosystem — package ecosystem (npm, pip, maven, etc.)manifest — path to the manifest file (package.json, requirements.txt, etc.)severity — severity tier: critical, high, medium, or lowcvss — CVSS score (0–10, higher is worse)summary — advisory summaryghsa_id — GitHub Security Advisory IDpatched_version — first patched version, if knownGroup alerts by package name. For each package, record:
Rank packages using these criteria in order:
Select the top-ranked package.
Tell the user which package you're going to fix and why, including:
Investigate and apply the fix:
manifest field from the alerts as a starting point)npm install, pip install, bundle install, go mod tidy, etc.)package.json is an exact pinned version (e.g., 1.2.3). Remove any range prefix (^, ~) that npm may have added. Re-run npm install after correcting the version to keep the lockfile in sync.go.mod, Node.js version in engines/.nvmrc, a setup-go/setup-node action version), audit all places that declare that version and update them to match:
go.mod, package.json engines, .nvmrc, .node-version, .tool-versions, .python-version.github/workflows/*.yml (setup-go, setup-node, setup-python, etc.)Dockerfile* (FROM directives)After fixing, summarize what was changed and suggest the user commit the result.
Batch-merge the open Dependabot PRs that are ready (no conflicts, all checks passing) by combining them onto a single branch and merging once, instead of one PR at a time.
Run a full Dependabot maintenance sweep — unblock stuck PRs, batch-merge ready PRs onto the sweep branch, fix vulnerability alerts, update changelog, open one PR, and merge it once checks are green.
Run system-wide maintenance (e.g. a weekly Dependabot sweep) across all your configured projects by discovering and executing each project's `maintenance-<tag>` skill, with a live observability web app that shows per-project progress and results. Invoke as `/zed:maintenance <tag>`.
Check out a PR, read its GitHub review comments, evaluate each for validity, fix the good recommendations, and report on what was done. If the PR has no review and none is pending, always generate one (codex, copilot CLI, or a Claude subagent) and post it before fixing.
Record progress on a maintenance followup ticket — comment on it, mark it done, or decline it. Invoke as `/zed:maint-followup <ticket-number> <update|done|nope> [comment]`. When the last open ticket of a run is closed, the run flips to Completed.
Read a context handoff Markdown file written by `send-context` from another Claude Code session, absorb it into the current session, then delete the file.