Run any Skill in Manus with one click

$pwd:

updating

Name: Updating
Author: SocketDev

// Umbrella update skill for a Socket fleet repo. Runs `pnpm run update` (npm), validates `lockstep.json` via `pnpm run lockstep` (if present), optionally bumps submodules, checks workflow SHA pins, resolves open Dependabot security alerts, refreshes the README coverage badge when applicable, and audits GitHub repo + Actions settings drift via `scripts/lint-github-settings.mts`. Use when asked to update dependencies, sync upstreams, fix security advisories, refresh coverage, or prepare for a release.

Run Skill in Manus

$ git log --oneline --stat

stars:3

forks:2

updated:May 23, 2026 at 15:43

File Explorer

2 files

SKILL.md

readonly

name	updating
description	Umbrella update skill for a Socket fleet repo. Runs `pnpm run update` (npm), validates `lockstep.json` via `pnpm run lockstep` (if present), optionally bumps submodules, checks workflow SHA pins, resolves open Dependabot security alerts, refreshes the README coverage badge when applicable, and audits GitHub repo + Actions settings drift via `scripts/lint-github-settings.mts`. Use when asked to update dependencies, sync upstreams, fix security advisories, refresh coverage, or prepare for a release.
user-invocable	true
allowed-tools	Task, Skill, Read, Edit, Grep, Glob, Bash(pnpm run:), Bash(pnpm test:), Bash(pnpm install:), Bash(git:), Bash(claude --version)

updating

Umbrella update skill. Runs pnpm run update for npm deps, then adapts to whatever the repo has — lockstep manifest, submodules, workflow SHA pins. Validates with check/test before reporting done.

When to use

Weekly maintenance (the weekly-update.yml workflow calls this skill).
Security patch rollout.
Pre-release preparation.

Update targets

npm packages — pnpm run update (every fleet repo has this script).
lockstep-managed upstreams — pnpm run lockstep when lockstep.json exists. Mechanical version-pin bumps auto-apply; file-fork / feature-parity / spec-conformance / lang-parity rows surface as advisory.
Other submodules — repo-specific updating-* sub-skills handle .gitmodules entries not claimed by a lockstep version-pin row.
Workflow SHA pins — _local-not-for-reuse-*.yml SHAs against the remote's default branch (per CLAUDE.md Default branch fallback); run /updating-workflows when stale.
Security advisories — open GitHub Dependabot alerts via /update-security. Direct deps bumped via pnpm update; transitives pinned via pnpm.overrides; unfixable advisories dismissed with documented reasons. Honors the 7-day soak gate.
Coverage badge — when a coverage script exists (cover / coverage / test:cover), /update-coverage runs the script and rewrites the README badge to match. Repos without a coverage script skip silently.
GitHub settings drift — scripts/lint-github-settings.mts --force --json audits repo + Actions settings against the fleet baseline (custom properties, feature flags, merge policy, branch protection, required apps like cursor / claude / socket-security). Read-only by default; fixes are surfaced as URLs the operator clicks through (--fix is gated on repo:admin, not auto-applied in the umbrella). Skipped under CI=true — the underlying script's local-only design.

This umbrella reads repo state first to discover what applies — sub-skills are only invoked when relevant.

Phases

#	Phase	Outcome
1	Validate environment	Clean tree, detect CI mode (`CI=true` / `GITHUB_ACTIONS`), submodules initialized.
2	npm packages	`pnpm run update` → atomic commit if anything moved.
3	Validate lockstep	If `lockstep.json` exists: `pnpm run lockstep`. Exit 0 = clean, 1 = stop, 2 = drift (handled in Phase 4).
4	Apply drift	4a: lockstep auto-bumps (one commit per row). 4b: repo-specific `updating-*` sub-skills for non-lockstep submodules.
5	Security advisories	If `gh api .../dependabot/alerts?state=open` returns any rows, invoke `/update-security` (the `updating-security` sub-skill). Atomic commit per alert.
6	Workflow SHA pins	Compare pinned SHAs against `origin/$BASE`; report stale → `/updating-workflows`.
7	Coverage badge	If the repo declares a coverage script (`cover` / `coverage` / `test:cover`), invoke `/update-coverage` to refresh the README badge. Atomic commit if the percentage moved.
8	GH settings drift	Skipped under `CI=true`. Otherwise: `node scripts/lint-github-settings.mts --force --json` and surface findings — repo-settings drift, missing apps (cursor/claude/socket-security/etc), custom-property/visibility mismatches. Read-only; operator follows the fixUrl in each finding.
9	Final validation	Interactive only: `pnpm run check --all && pnpm test && pnpm run build`. CI skips (validated separately).
10	Report	Per-category summary: npm / lockstep / submodules / security / SHA pins / coverage / settings drift / validation / next steps.

Full bash, exit-code tables, mode contracts, and failure recovery in reference.md.

Hard requirements

Clean tree on entry — no uncommitted changes.
Atomic commits per category — npm in one commit, each lockstep auto-bump in its own commit, each submodule bump in its own commit.
Conventional Commits per CLAUDE.md.
Default-branch fallback — never hard-code main or master in scripts.

Success criteria

All npm packages checked.
Lockstep manifest validated (when present); schema errors block.
Open Dependabot alerts either fixed, awaiting-soak, or dismissed with a documented reason.
Full check + tests pass (interactive mode).
Summary report printed.

Safety: updates are validated before committing. Schema errors (lockstep exit 1) stop the process; drift (exit 2) is advisory and does not block. Security-advisory fixes never --force push — per-alert commits go through the normal push-or-PR flow.

related-skills.json

same repository

cascading-fleet.md

from "SocketDev/socket-packageurl-js"

Propagate a wheelhouse template change to every fleet repo (or a registry-pin chain to every dependent repo). Packages the canonical fleet-repo list, the FLEET_SYNC=1 sentinel pattern, the worktree-per-repo loop, push-direct + PR-fallback, and worktree-cleanup that survives mid-loop crashes. Use when a wheelhouse template SHA needs to land in every fleet repo, when a registry pin chain needs propagation, or when batching multiple template SHAs into one cascade wave.

2026-05-233

cleaning-redundant-ci.md

from "SocketDev/socket-packageurl-js"

Sweeps a fleet repo (or every fleet repo) for redundant CI surface — orphan workflow YAML files (lint.yml / check.yml / type.yml / test.yml that the unified ci.yml replaced), GitHub-Dependabot auto-fix PRs that the fleet handles via /updating-security, and stale workflow run history in the Actions sidebar. Deletes the YAML files, disables Dependabot automated-security-fixes via gh api, and reports anything that needs a manual UI toggle. Once-and-never-again sweep — meant to leave a repo clean.

2026-05-233

scanning-quality.md

from "SocketDev/socket-packageurl-js"

Scans the codebase for bugs, logic errors, cache races, workflow problems, insecure defaults, security regressions in the diff, and variant analysis on prior findings. Spawns specialized Task agents per scan type, deduplicates findings, and produces an A-F prioritized report. Use when preparing a release, investigating quality issues, running pre-merge checks, or whenever a recent diff touches security-sensitive code.

2026-05-233

updating-coverage.md

from "SocketDev/socket-packageurl-js"

Refresh the coverage badge in the root README by running the repo's coverage script and rewriting the `![Coverage](https://img.shields.io/badge/coverage-<PCT>%25-brightgreen)` line. Sibling of `updating-security` / `updating-lockstep` under the `updating` umbrella.

2026-05-233

updating-security.md

from "SocketDev/socket-packageurl-js"

Resolve open GitHub Dependabot security alerts on a fleet repo. Fetches alerts via `gh api`, applies fixes (direct dep bump, pnpm override for transitives, or principled dismissal for unfixable), validates with `pnpm run check`, commits per-alert, and reports remaining advisories. Sibling of `updating-lockstep` under the `updating` umbrella.

2026-05-233

auditing-gha-settings.md

from "SocketDev/socket-packageurl-js"

Audits a repo's GitHub Actions permissions + allowlist against the fleet baseline. Reports drift only — fixes are manual in Settings → Actions because flipping these silently is unsafe. Use when a CI failure looks like "action X is not allowed to be used", when onboarding a new fleet repo, or as a periodic fleet-wide health check.

2026-05-213

package.json

"author": "SocketDev"

"repository": "SocketDev/socket-packageurl-js"

View GitHub Repository View Creator Repositories

$ install --global

$ download --local

Run Skill in Manus

name	updating
description	Umbrella update skill for a Socket fleet repo. Runs `pnpm run update` (npm), validates `lockstep.json` via `pnpm run lockstep` (if present), optionally bumps submodules, checks workflow SHA pins, resolves open Dependabot security alerts, refreshes the README coverage badge when applicable, and audits GitHub repo + Actions settings drift via `scripts/lint-github-settings.mts`. Use when asked to update dependencies, sync upstreams, fix security advisories, refresh coverage, or prepare for a release.
user-invocable	true
allowed-tools	Task, Skill, Read, Edit, Grep, Glob, Bash(pnpm run:), Bash(pnpm test:), Bash(pnpm install:), Bash(git:), Bash(claude --version)

updating

Umbrella update skill. Runs pnpm run update for npm deps, then adapts to whatever the repo has — lockstep manifest, submodules, workflow SHA pins. Validates with check/test before reporting done.

When to use

Weekly maintenance (the weekly-update.yml workflow calls this skill).
Security patch rollout.
Pre-release preparation.

Update targets

npm packages — pnpm run update (every fleet repo has this script).
lockstep-managed upstreams — pnpm run lockstep when lockstep.json exists. Mechanical version-pin bumps auto-apply; file-fork / feature-parity / spec-conformance / lang-parity rows surface as advisory.
Other submodules — repo-specific updating-* sub-skills handle .gitmodules entries not claimed by a lockstep version-pin row.
Workflow SHA pins — _local-not-for-reuse-*.yml SHAs against the remote's default branch (per CLAUDE.md Default branch fallback); run /updating-workflows when stale.
Security advisories — open GitHub Dependabot alerts via /update-security. Direct deps bumped via pnpm update; transitives pinned via pnpm.overrides; unfixable advisories dismissed with documented reasons. Honors the 7-day soak gate.
Coverage badge — when a coverage script exists (cover / coverage / test:cover), /update-coverage runs the script and rewrites the README badge to match. Repos without a coverage script skip silently.
GitHub settings drift — scripts/lint-github-settings.mts --force --json audits repo + Actions settings against the fleet baseline (custom properties, feature flags, merge policy, branch protection, required apps like cursor / claude / socket-security). Read-only by default; fixes are surfaced as URLs the operator clicks through (--fix is gated on repo:admin, not auto-applied in the umbrella). Skipped under CI=true — the underlying script's local-only design.

This umbrella reads repo state first to discover what applies — sub-skills are only invoked when relevant.

Phases

#	Phase	Outcome
1	Validate environment	Clean tree, detect CI mode (`CI=true` / `GITHUB_ACTIONS`), submodules initialized.
2	npm packages	`pnpm run update` → atomic commit if anything moved.
3	Validate lockstep	If `lockstep.json` exists: `pnpm run lockstep`. Exit 0 = clean, 1 = stop, 2 = drift (handled in Phase 4).
4	Apply drift	4a: lockstep auto-bumps (one commit per row). 4b: repo-specific `updating-*` sub-skills for non-lockstep submodules.
5	Security advisories	If `gh api .../dependabot/alerts?state=open` returns any rows, invoke `/update-security` (the `updating-security` sub-skill). Atomic commit per alert.
6	Workflow SHA pins	Compare pinned SHAs against `origin/$BASE`; report stale → `/updating-workflows`.
7	Coverage badge	If the repo declares a coverage script (`cover` / `coverage` / `test:cover`), invoke `/update-coverage` to refresh the README badge. Atomic commit if the percentage moved.
8	GH settings drift	Skipped under `CI=true`. Otherwise: `node scripts/lint-github-settings.mts --force --json` and surface findings — repo-settings drift, missing apps (cursor/claude/socket-security/etc), custom-property/visibility mismatches. Read-only; operator follows the fixUrl in each finding.
9	Final validation	Interactive only: `pnpm run check --all && pnpm test && pnpm run build`. CI skips (validated separately).
10	Report	Per-category summary: npm / lockstep / submodules / security / SHA pins / coverage / settings drift / validation / next steps.

Full bash, exit-code tables, mode contracts, and failure recovery in reference.md.

Hard requirements

Clean tree on entry — no uncommitted changes.
Atomic commits per category — npm in one commit, each lockstep auto-bump in its own commit, each submodule bump in its own commit.
Conventional Commits per CLAUDE.md.
Default-branch fallback — never hard-code main or master in scripts.

Success criteria

All npm packages checked.
Lockstep manifest validated (when present); schema errors block.
Open Dependabot alerts either fixed, awaiting-soak, or dismissed with a documented reason.
Full check + tests pass (interactive mode).
Summary report printed.

updating

updating

When to use

Update targets

Phases

Hard requirements

Success criteria

More from this repository

More from this repository

updating

When to use

Update targets

Phases

Hard requirements

Success criteria