Run any Skill in Manus with one click

$pwd:

fix-vulnerability

Name: Fix Vulnerability
Author: lightdash

// Fix a Snyk vulnerability PR by regenerating the pnpm lockfile, checking changelogs for breaking changes, and posting findings as a PR comment. Use when asked to fix a vulnerability PR or handle a Snyk dependency upgrade.

Run Skill in Manus

$ git log --oneline --stat

stars:5,862

forks:725

updated:April 21, 2026 at 08:20

SKILL.md

readonly

name	fix-vulnerability
description	Fix a Snyk vulnerability PR by regenerating the pnpm lockfile, checking changelogs for breaking changes, and posting findings as a PR comment. Use when asked to fix a vulnerability PR or handle a Snyk dependency upgrade.
allowed-tools	Bash, Read, Grep, Glob, Task, WebFetch, WebSearch

Fix Vulnerability PR

Process a Snyk (or similar) dependency upgrade PR: rename the PR, regenerate the lockfile, analyze changelogs for breaking changes, and post a summary comment.

The user must provide a PR URL or number as $ARGUMENTS. If not provided, ask for it.

Step 1: Fetch PR details

Extract the PR number from the argument and fetch the PR diff to understand what changed:

# Get PR metadata
gh pr view <PR_NUMBER> --json number,title,body,headRefName,baseRefName

# Get the diff to see which dependencies changed
gh pr diff <PR_NUMBER>

Parse the diff to identify:

Which packages were upgraded (package name, old version, new version)
Which package.json files were modified
Whether the lockfile (pnpm-lock.yaml) is included or missing

Report the list of dependency changes to the user before proceeding.

Step 2: Rename the PR

Replace the Snyk-generated title with a descriptive one following conventional commit format:

gh pr edit <PR_NUMBER> --title "fix: upgrade <package1> <oldVersion>→<newVersion> and <package2> <oldVersion>→<newVersion>"

Also update the PR description to append test trigger keywords so all test suites run on the next push:

# Get current body, append test keywords
CURRENT_BODY=$(gh pr view <PR_NUMBER> --json body -q '.body')
gh pr edit <PR_NUMBER> --body "${CURRENT_BODY}

test-frontend test-backend test-cli"

Rules for the title:

Use fix: prefix (these are vulnerability fixes)
List all upgraded packages with their version ranges
If there are more than 3 packages, summarize: fix: upgrade 5 dependencies (security)
Keep it under 72 characters when possible

Step 3: Checkout the PR branch and regenerate lockfile

# Fetch and checkout the PR branch
gh pr checkout <PR_NUMBER>

# Install dependencies to regenerate the lockfile (sfw blocks known-malicious packages)
# Requires `npm i -g sfw` to be installed globally once per machine.
sfw pnpm install

# Check if the lockfile was modified
git status pnpm-lock.yaml

If pnpm-lock.yaml was modified, stage and commit it:

git add pnpm-lock.yaml
git commit -m "chore: regenerate pnpm-lock.yaml

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>"

Then push the changes:

git push

Step 4: Analyze changelogs for breaking changes

For each upgraded dependency identified in Step 1:

Fetch the changelog or release notes — try these sources in order: a. GitHub releases page: https://github.com/<owner>/<repo>/releases b. CHANGELOG.md in the repo: https://raw.githubusercontent.com/<owner>/<repo>/main/CHANGELOG.md c. npm page: https://www.npmjs.com/package/<package-name> d. Web search as a last resort: "<package-name> changelog <old-version> <new-version>"
Identify the package's GitHub repo from the PR body (Snyk usually includes repo links) or from npm registry metadata:
```
npm view <package-name> repository.url
```
Review changes between the old and new versions. Focus on:
- Breaking changes or deprecations
- API changes that could affect our code
- Major behavioral changes
- Security advisories and CVE details
Search our codebase for usage of each upgraded package to assess impact:
```
# Check how we import/use the package
```
Use Grep to search for imports and usage patterns of each package across the codebase.
Assess risk for each dependency:
- No risk: Patch version bump, no breaking changes, minimal usage in our code
- Low risk: Minor version bump, no breaking changes in APIs we use
- Medium risk: Breaking changes exist but don't affect our usage patterns
- High risk: Breaking changes directly affect how we use the package

Step 5: Post PR comment with findings

Post a comment on the PR summarizing your analysis using gh pr comment:

gh pr comment <PR_NUMBER> --body "$(cat <<'EOF'
## Vulnerability Fix Analysis

### Lockfile
[✅ Regenerated and pushed / ℹ️ Already up to date]

### Dependency Changes

| Package | Old Version | New Version | Risk | Notes |
|---------|------------|-------------|------|-------|
| package-name | x.y.z | a.b.c | 🟢 No risk / 🟡 Low / 🟠 Medium / 🔴 High | Brief explanation |

### Breaking Changes Analysis

[For each dependency with notable changes, provide a brief summary]

#### `package-name` (x.y.z → a.b.c)
- **Changelog**: [link to changelog/releases]
- **Breaking changes**: [None / List of breaking changes]
- **Our usage**: [How we use this package, with file paths]
- **Impact**: [Assessment of whether breaking changes affect us]

### Recommendation
[Overall assessment: safe to merge, needs code changes, needs manual testing, etc.]

---
🤖 Generated with [Claude Code](https://claude.com/claude-code)
EOF
)"

Adapt the comment content based on your actual findings. Be concise but thorough. If there are breaking changes that affect our code, clearly list what needs to change.

Step 6: Return to original branch

After posting the comment, switch back to the original branch:

git checkout main

Notes

If pnpm install fails, report the error — it likely means the version bump introduced an incompatibility
For monorepo packages (e.g., @types/*), check if the type changes affect our code
Snyk PRs typically include CVE details in the PR body — reference these in your analysis
If a dependency has many transitive dependents, note this as it increases risk surface
Do NOT approve or merge the PR — only analyze and comment

related-skills.json

same repository

frontend-style-guide.md

from "lightdash/lightdash"

Apply the Lightdash frontend style guide when working on React components, migrating Mantine v6 to v8, or styling frontend code. Use when editing TSX files, fixing styling issues, or when user mentions Mantine, styling, or CSS modules.

2026-05-295.9k

ld-permissions.md

from "lightdash/lightdash"

Guide for Lightdash's CASL-based authorization system. Use when working with scopes, custom roles, abilities, permissions, ForbiddenError, authorization, or access control. Helps with adding new scopes, debugging permission issues, understanding the permission flow, and creating custom roles.

2026-05-285.9k

developing-in-lightdash.md

from "lightdash/lightdash"

Use when reading and editing Lightdash dashboards and charts as JSON, including dashboard layout and chart-type-specific configuration.

2026-05-285.9k

developing-in-lightdash.md

from "lightdash/lightdash"

Use when working with Lightdash YAML files, dbt models with Lightdash metadata, the lightdash CLI (deploy, upload, download, preview, lint, sql, set-warehouse), or creating/editing charts, dashboards, metrics, and dimensions as code

2026-05-255.9k

renovate-pr.md

from "lightdash/lightdash"

Test and assess an open Renovate dependency-bump PR. Picks the first open Renovate PR, checks out the branch, starts the app, exercises code paths affected by the upgraded package, reviews the changelog and (if needed) the upstream source diff, and reports whether the bump is safe to merge. Use when asked to "test a renovate PR", "triage renovate", "assess a renovate bump", or "check a dependency upgrade".

2026-05-185.9k

lightdash-agent-slack-messaging.md

from "lightdash/lightdash"

Use this skill when writing, designing, or generating Slack messages for Lightdash's in-app analytics agent. Triggers when someone asks to create agent update messages, Slack digests, agent notifications, weekly summaries, daily summaries, or any Slack copy for the Lightdash project agent. Also use when asked to vary, refresh, or make agent messages more engaging. Always use this skill for any Lightdash agent Slack communication, even if the user just says "write an agent message" or "draft a Slack update for the agent".

2026-05-045.9k

package.json

"author": "lightdash"

"repository": "lightdash/lightdash"

View GitHub Repository View Creator Repositories

$ install --global

$ download --local

Run Skill in Manus

$ useful --forSOC

Information Security AnalystsComputer and Mathematical Occupations15-1212L4

Software DevelopersL4

name	fix-vulnerability
description	Fix a Snyk vulnerability PR by regenerating the pnpm lockfile, checking changelogs for breaking changes, and posting findings as a PR comment. Use when asked to fix a vulnerability PR or handle a Snyk dependency upgrade.
allowed-tools	Bash, Read, Grep, Glob, Task, WebFetch, WebSearch

Fix Vulnerability PR

Process a Snyk (or similar) dependency upgrade PR: rename the PR, regenerate the lockfile, analyze changelogs for breaking changes, and post a summary comment.

The user must provide a PR URL or number as $ARGUMENTS. If not provided, ask for it.

Step 1: Fetch PR details

Extract the PR number from the argument and fetch the PR diff to understand what changed:

# Get PR metadata
gh pr view <PR_NUMBER> --json number,title,body,headRefName,baseRefName

# Get the diff to see which dependencies changed
gh pr diff <PR_NUMBER>

Parse the diff to identify:

Which packages were upgraded (package name, old version, new version)
Which package.json files were modified
Whether the lockfile (pnpm-lock.yaml) is included or missing

Report the list of dependency changes to the user before proceeding.

Step 2: Rename the PR

Replace the Snyk-generated title with a descriptive one following conventional commit format:

gh pr edit <PR_NUMBER> --title "fix: upgrade <package1> <oldVersion>→<newVersion> and <package2> <oldVersion>→<newVersion>"

Also update the PR description to append test trigger keywords so all test suites run on the next push:

# Get current body, append test keywords
CURRENT_BODY=$(gh pr view <PR_NUMBER> --json body -q '.body')
gh pr edit <PR_NUMBER> --body "${CURRENT_BODY}

test-frontend test-backend test-cli"

Rules for the title:

Use fix: prefix (these are vulnerability fixes)
List all upgraded packages with their version ranges
If there are more than 3 packages, summarize: fix: upgrade 5 dependencies (security)
Keep it under 72 characters when possible

Step 3: Checkout the PR branch and regenerate lockfile

# Fetch and checkout the PR branch
gh pr checkout <PR_NUMBER>

# Install dependencies to regenerate the lockfile (sfw blocks known-malicious packages)
# Requires `npm i -g sfw` to be installed globally once per machine.
sfw pnpm install

# Check if the lockfile was modified
git status pnpm-lock.yaml

If pnpm-lock.yaml was modified, stage and commit it:

git add pnpm-lock.yaml
git commit -m "chore: regenerate pnpm-lock.yaml

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>"

Then push the changes:

git push

Step 4: Analyze changelogs for breaking changes

For each upgraded dependency identified in Step 1:

Fetch the changelog or release notes — try these sources in order: a. GitHub releases page: https://github.com/<owner>/<repo>/releases b. CHANGELOG.md in the repo: https://raw.githubusercontent.com/<owner>/<repo>/main/CHANGELOG.md c. npm page: https://www.npmjs.com/package/<package-name> d. Web search as a last resort: "<package-name> changelog <old-version> <new-version>"
Identify the package's GitHub repo from the PR body (Snyk usually includes repo links) or from npm registry metadata:
```
npm view <package-name> repository.url
```
Review changes between the old and new versions. Focus on:
- Breaking changes or deprecations
- API changes that could affect our code
- Major behavioral changes
- Security advisories and CVE details
Search our codebase for usage of each upgraded package to assess impact:
```
# Check how we import/use the package
```
Use Grep to search for imports and usage patterns of each package across the codebase.
Assess risk for each dependency:
- No risk: Patch version bump, no breaking changes, minimal usage in our code
- Low risk: Minor version bump, no breaking changes in APIs we use
- Medium risk: Breaking changes exist but don't affect our usage patterns
- High risk: Breaking changes directly affect how we use the package

Step 5: Post PR comment with findings

Post a comment on the PR summarizing your analysis using gh pr comment:

gh pr comment <PR_NUMBER> --body "$(cat <<'EOF'
## Vulnerability Fix Analysis

### Lockfile
[✅ Regenerated and pushed / ℹ️ Already up to date]

### Dependency Changes

| Package | Old Version | New Version | Risk | Notes |
|---------|------------|-------------|------|-------|
| package-name | x.y.z | a.b.c | 🟢 No risk / 🟡 Low / 🟠 Medium / 🔴 High | Brief explanation |

### Breaking Changes Analysis

[For each dependency with notable changes, provide a brief summary]

#### `package-name` (x.y.z → a.b.c)
- **Changelog**: [link to changelog/releases]
- **Breaking changes**: [None / List of breaking changes]
- **Our usage**: [How we use this package, with file paths]
- **Impact**: [Assessment of whether breaking changes affect us]

### Recommendation
[Overall assessment: safe to merge, needs code changes, needs manual testing, etc.]

---
🤖 Generated with [Claude Code](https://claude.com/claude-code)
EOF
)"

Adapt the comment content based on your actual findings. Be concise but thorough. If there are breaking changes that affect our code, clearly list what needs to change.

Step 6: Return to original branch

After posting the comment, switch back to the original branch:

git checkout main

Notes

If pnpm install fails, report the error — it likely means the version bump introduced an incompatibility
For monorepo packages (e.g., @types/*), check if the type changes affect our code
Snyk PRs typically include CVE details in the PR body — reference these in your analysis
If a dependency has many transitive dependents, note this as it increases risk surface
Do NOT approve or merge the PR — only analyze and comment

fix-vulnerability

Fix Vulnerability PR

Step 1: Fetch PR details

Step 2: Rename the PR

Step 3: Checkout the PR branch and regenerate lockfile

Step 4: Analyze changelogs for breaking changes

Step 5: Post PR comment with findings

Step 6: Return to original branch

Notes

More from this repository

More from this repository

Fix Vulnerability PR

Step 1: Fetch PR details

Step 2: Rename the PR

Step 3: Checkout the PR branch and regenerate lockfile

Step 4: Analyze changelogs for breaking changes

Step 5: Post PR comment with findings

Step 6: Return to original branch

Notes