// Triage and fix dependency vulnerabilities in an npm project. Use when the user asks to fix, address, or patch dependency/dependabot/npm audit vulnerabilities.
Create a GitHub release and publish to NPM.
Commit staged work, push the branch, and open a PR. Use when wrapping up changes that need to ship.
Draft an implementation plan for a feature in .agents/plans. Does not execute the plan. Use when the user asks to plan, design, or scope a feature without building it.
Execute an implementation plan. Implements every task, runs validation, commits, and opens a PR. Use when the user asks to execute, implement, or run a plan file.
Prepare a release PR by bumping package versions (patch, minor, or major).
Analyze past Claude Code session(s) for mistakes and propose targeted improvements. Use when the user asks for a retrospective, post-mortem, or session review. Outputs concise findings plus suggested edits to CLAUDE.md (general lessons) or new/updated skills (specific workflows).
| name | fix-vulnerabilities |
| description | Triage and fix dependency vulnerabilities in an npm project. Use when the user asks to fix, address, or patch dependency/dependabot/npm audit vulnerabilities. |
git checkout main && git pull
git checkout -b fix/vulnerabilities-$(date +%Y-%m-%d)
Use the repo's actual owner/name (don't leave :owner/:repo). The patched version lives under vulnerabilities[].first_patched_version.identifier.
gh api repos/<owner>/<repo>/dependabot/alerts --paginate \
-q '.[] | select(.state=="open") | {pkg: .dependency.package.name, severity: .security_advisory.severity, summary: .security_advisory.summary, vulnerable: .security_vulnerability.vulnerable_version_range, patched: .security_advisory.vulnerabilities[0].first_patched_version.identifier, manifest: .dependency.manifest_path}'
Also check code scanning (often catches CI/workflow issues that audit misses):
gh api repos/<owner>/<repo>/code-scanning/alerts --paginate -q '.[] | select(.state=="open")'
npm audit --json
npm audit walks workspaces by default. Treat deprecation notices (e.g. inflight, whatwg-encoding, "Old versions of glob are not supported") as informational — they have no patched version and can't be "fixed" without replacing the upstream caller. Note them in the PR body and move on.
For each vulnerability, try in order:
Bump the direct dependency. Check both root package.json AND every workspace package.json (packages/*/package.json) — the vulnerable transitive may be reachable through a workspace. If a direct dep can be bumped to a version whose transitives no longer carry the vuln, do that:
npm install <pkg>@<safe-version>
# or for a workspace:
npm install <pkg>@<safe-version> -w <workspace-name>
Always verify against npm view <pkg> version — if every direct dep is already at latest and the vuln persists, no direct bump can fix it.
Add an overrides entry in the root package.json for transitives with no direct-bump path:
"pkg": "version") override every instance — only safe when one version works for all callers."pkg@<major>": "<version>" — so each major line is pinned separately. A single flat pin will silently force older callers onto an incompatible API and break the build.npm help package-json for parent-scoped overrides if a flat or range-keyed key is too broad.Example block from this repo:
"overrides": {
"tar": "^7.5.11",
"minimatch@3": "^3.1.4",
"minimatch@9": "^9.0.7"
}
Then npm install and confirm with npm ls <pkg> that each major resolves to the pinned version.
No fix available — leave it and note it in the PR body.
Re-run npm audit after each change.
Use the validate skill. Overrides can break callers expecting older APIs (especially across major versions). Tests alone aren't enough — build pipelines (rollup, webpack, babel) often hit the bumped transitives at compile time.
If a bump/override breaks the build and the incompatibility can't be reconciled (caller depends on a removed API, peer-dep conflict between two libs, etc.), roll back that specific change — revert the npm install or remove the offending overrides entry, run npm install, and move it to the "Unfixed" section of the PR body with a one-line reason. Do not commit a broken build.
Use the commit skill with title fix: patch dependency vulnerabilities and body:
## Fixed
- <pkg>: <old> → <new> (direct bump / override)
## Unfixed (no patch available)
- <pkg> (<severity>): <summary>