name	update-vulnerable-deps
description	Update vulnerable npm dependencies safely. Only applies non-breaking changes. Prefers lock-file-only fixes via `npm audit fix`. Generates a summary of what was updated, what was skipped, and why. Use when asked to fix security vulnerabilities, run dependabot-style updates, or update vulnerable packages.

Update Vulnerable Dependencies

Goal

Fix npm dependency vulnerabilities with minimal risk:

Lock-file-only fixes first (npm audit fix)
Non-breaking package.json bumps second (minor/patch only)
Skip breaking changes (major version bumps) — document them instead

Never introduce breaking changes without explicit user approval.

Steps

1. Baseline audit

npm audit --json > /tmp/audit-before.json
npm audit 2>&1 | tail -5

Record total vulnerabilities (critical/high/moderate/low) before starting.

2. Lock-file fix (safest — no package.json changes)

npm audit fix

This only updates package-lock.json to use compatible versions already allowed by the existing semver ranges in package.json. It never changes package.json.

Re-run audit to see what remains:

npm audit 2>&1

3. Check remaining vulnerabilities

For each remaining vulnerability, determine why npm audit fix did not resolve it:

npm audit --json 2>/dev/null | node -e "
const d = JSON.parse(require('fs').readFileSync('/dev/stdin','utf8'));
const vulns = d.vulnerabilities || {};
Object.entries(vulns).forEach(([name, v]) => {
  if (v.isDirect) {
    console.log(name, v.severity, 'fixAvailable:', JSON.stringify(v.fixAvailable));
  }
});
"

The fixAvailable field tells you:

false — no fix exists yet
{ isSemVerMajor: true, ... } — fix requires a major (breaking) version bump
{ isSemVerMajor: false, name, version } — fix is a non-breaking update

4. Apply non-breaking package.json updates

For each vulnerability where isSemVerMajor: false:

Check the current version range in package.json (direct dependency or devDependency).
If it's a direct dependency, update the version range:
```
npm install <package>@<fix-version>
```
Re-run npm audit after each update to confirm the fix landed.

Do NOT apply npm audit fix --force — it may break the build.

5. Changelog review for major version bumps

For every package where isSemVerMajor: true, do not assume tests are sufficient. You MUST check the changelog before deciding to skip or apply.

Steps for each major-bump package:

Look up the package on npm or GitHub (e.g., https://github.com/<org>/<pkg>/releases or CHANGELOG.md).
Read the breaking changes section between the current version and the fix version.
Decide:
- Safe to apply — breaking changes do not affect this project's usage (e.g., removed API that this codebase never calls, Node version requirement we already meet).
- Skip — breaking changes affect this project (changed API, renamed export, removed feature in use).
If safe, apply with npm install <package>@<fix-version>, then run build + test + lint.
Document your finding in the summary report under the appropriate section.

Never mark a major-bump package as "safe" based solely on passing tests. Tests may not cover the affected code path.

6. Build and test verification

After all updates (non-breaking and any approved major bumps):

npm run build
npm run test
npm run lint

If any step fails, revert the last change and document the package as "skipped — breaks build/tests".

7. Commit

After verification passes, commit package.json and package-lock.json together:

git add package.json package-lock.json
git commit -m "Update vulnerable dependencies (non-breaking)"

Use a more descriptive message if notable packages were updated, e.g.:

Fix security vulnerabilities: bump vite to 6.4.3, postcss to 8.5.15

Do NOT commit node_modules/ or any other files.

8. Generate summary report

Output a report in this format:

Dependency Update Summary

Date: [today's date]

Vulnerabilities Before

Severity	Count
Critical	N
High	N
Moderate	N
Low	N

Fixed (lock-file only via `npm audit fix`)

List packages resolved by lock-file update only.

Fixed (package.json updated)

Package	Old Version	New Version	Severity Fixed
...	...	...	...

Skipped — Breaking Change (major version bump required)

Package	Current	Fix Version	Severity	Reason Skipped
...	...	...	...	Requires major version bump — review manually

Skipped — No Fix Available

Package	Severity	Notes
...	...	No upstream fix released yet

Vulnerabilities After

Severity	Count
Critical	N
High	N
Moderate	N
Low	N

Notes

Only commit package.json and package-lock.json. Never commit node_modules/.
If npm audit fix introduces unexpected changes (e.g., downgrades), review the diff before continuing.
For packages skipped due to major version bumps, open a separate task or branch — do not bundle with this update.
Always run the full build + test + lint pipeline before committing.

name	update-vulnerable-deps
description	Update vulnerable npm dependencies safely. Only applies non-breaking changes. Prefers lock-file-only fixes via `npm audit fix`. Generates a summary of what was updated, what was skipped, and why. Use when asked to fix security vulnerabilities, run dependabot-style updates, or update vulnerable packages.

Update Vulnerable Dependencies

Goal

Fix npm dependency vulnerabilities with minimal risk:

Lock-file-only fixes first (npm audit fix)
Non-breaking package.json bumps second (minor/patch only)
Skip breaking changes (major version bumps) — document them instead

Never introduce breaking changes without explicit user approval.

Steps

1. Baseline audit

npm audit --json > /tmp/audit-before.json
npm audit 2>&1 | tail -5

Record total vulnerabilities (critical/high/moderate/low) before starting.

2. Lock-file fix (safest — no package.json changes)

npm audit fix

This only updates package-lock.json to use compatible versions already allowed by the existing semver ranges in package.json. It never changes package.json.

Re-run audit to see what remains:

npm audit 2>&1

3. Check remaining vulnerabilities

For each remaining vulnerability, determine why npm audit fix did not resolve it:

npm audit --json 2>/dev/null | node -e "
const d = JSON.parse(require('fs').readFileSync('/dev/stdin','utf8'));
const vulns = d.vulnerabilities || {};
Object.entries(vulns).forEach(([name, v]) => {
  if (v.isDirect) {
    console.log(name, v.severity, 'fixAvailable:', JSON.stringify(v.fixAvailable));
  }
});
"

The fixAvailable field tells you:

false — no fix exists yet
{ isSemVerMajor: true, ... } — fix requires a major (breaking) version bump
{ isSemVerMajor: false, name, version } — fix is a non-breaking update

4. Apply non-breaking package.json updates

For each vulnerability where isSemVerMajor: false:

Check the current version range in package.json (direct dependency or devDependency).
If it's a direct dependency, update the version range:
```
npm install <package>@<fix-version>
```
Re-run npm audit after each update to confirm the fix landed.

Do NOT apply npm audit fix --force — it may break the build.

5. Changelog review for major version bumps

For every package where isSemVerMajor: true, do not assume tests are sufficient. You MUST check the changelog before deciding to skip or apply.

Steps for each major-bump package:

Look up the package on npm or GitHub (e.g., https://github.com/<org>/<pkg>/releases or CHANGELOG.md).
Read the breaking changes section between the current version and the fix version.
Decide:
- Safe to apply — breaking changes do not affect this project's usage (e.g., removed API that this codebase never calls, Node version requirement we already meet).
- Skip — breaking changes affect this project (changed API, renamed export, removed feature in use).
If safe, apply with npm install <package>@<fix-version>, then run build + test + lint.
Document your finding in the summary report under the appropriate section.

Never mark a major-bump package as "safe" based solely on passing tests. Tests may not cover the affected code path.

6. Build and test verification

After all updates (non-breaking and any approved major bumps):

npm run build
npm run test
npm run lint

If any step fails, revert the last change and document the package as "skipped — breaks build/tests".

7. Commit

After verification passes, commit package.json and package-lock.json together:

git add package.json package-lock.json
git commit -m "Update vulnerable dependencies (non-breaking)"

Use a more descriptive message if notable packages were updated, e.g.:

Fix security vulnerabilities: bump vite to 6.4.3, postcss to 8.5.15

Do NOT commit node_modules/ or any other files.

8. Generate summary report

Output a report in this format:

Dependency Update Summary

Date: [today's date]

Vulnerabilities Before

Severity	Count
Critical	N
High	N
Moderate	N
Low	N

Fixed (lock-file only via `npm audit fix`)

List packages resolved by lock-file update only.

Fixed (package.json updated)

Package	Old Version	New Version	Severity Fixed
...	...	...	...

Skipped — Breaking Change (major version bump required)

Package	Current	Fix Version	Severity	Reason Skipped
...	...	...	...	Requires major version bump — review manually

Skipped — No Fix Available

Package	Severity	Notes
...	...	No upstream fix released yet

Vulnerabilities After

Severity	Count
Critical	N
High	N
Moderate	N
Low	N

Notes

Only commit package.json and package-lock.json. Never commit node_modules/.
If npm audit fix introduces unexpected changes (e.g., downgrades), review the diff before continuing.
For packages skipped due to major version bumps, open a separate task or branch — do not bundle with this update.
Always run the full build + test + lint pipeline before committing.

update-vulnerable-deps

Update Vulnerable Dependencies

Goal

Steps

1. Baseline audit

2. Lock-file fix (safest — no package.json changes)

3. Check remaining vulnerabilities

4. Apply non-breaking package.json updates

5. Changelog review for major version bumps

6. Build and test verification

7. Commit

8. Generate summary report

Dependency Update Summary

Vulnerabilities Before

Fixed (lock-file only via npm audit fix)

Fixed (package.json updated)

Skipped — Breaking Change (major version bump required)

Skipped — No Fix Available

Vulnerabilities After

Notes

同仓库更多 Skills

Update Vulnerable Dependencies

Goal

Steps

1. Baseline audit

2. Lock-file fix (safest — no package.json changes)

3. Check remaining vulnerabilities

4. Apply non-breaking package.json updates

5. Changelog review for major version bumps

6. Build and test verification

7. Commit

8. Generate summary report

Dependency Update Summary

Vulnerabilities Before

Fixed (lock-file only via npm audit fix)

Fixed (package.json updated)

Skipped — Breaking Change (major version bump required)

Skipped — No Fix Available

Vulnerabilities After

Notes

同仓库更多 Skills

Fixed (lock-file only via `npm audit fix`)

Fixed (lock-file only via `npm audit fix`)