microsoft / fix-dependabot-alerts
Install for your project team
Run this command in your project directory to install the skill for your entire team:
mkdir -p .claude/skills/fix-dependabot-alerts && curl -L -o skill.zip "https://fastmcp.me/Skills/Download/1887" && unzip -o skill.zip -d .claude/skills/fix-dependabot-alerts && rm skill.zipProject Skills
This skill will be saved in .claude/skills/fix-dependabot-alerts/ and checked into git. All team members will have access to it automatically.
Important: Please verify the skill by reviewing its instructions before using it.
Fix Dependabot security alerts by updating vulnerable npm dependencies. Use when the user mentions "dependabot", "security alerts", "vulnerability", "CVE", or wants to update packages with security issues.
0 views
0 installs
Skill Content
---
name: fix-dependabot-alerts
description: Fix Dependabot security alerts by updating vulnerable npm dependencies. Use when the user mentions "dependabot", "security alerts", "vulnerability", "CVE", or wants to update packages with security issues.
argument-hint: "[alert-number or package-name]"
---
# Fix Dependabot Security Alerts
You are tasked with fixing Dependabot security alerts for this repository. Follow these steps carefully to resolve vulnerabilities while minimizing risk.
## Step 1: Identify the Vulnerability
If a specific alert number or package name was provided, focus on that. Otherwise, check for open alerts:
```bash
gh api repos/microsoft/powerplatform-vscode/dependabot/alerts --jq '.[] | select(.state=="open") | {number, package: .security_vulnerability.package.name, severity: .security_vulnerability.severity, vulnerable_versions: .security_vulnerability.vulnerable_version_range, patched_versions: .security_vulnerability.first_patched_version.identifier, summary: .security_advisory.summary}'
```
To get details on a specific alert:
```bash
gh api repos/microsoft/powerplatform-vscode/dependabot/alerts/<alert-number>
```
## Step 2: Analyze the Dependency
Determine if the vulnerable package is:
- A **direct dependency** (listed in `package.json`)
- A **transitive dependency** (dependency of a dependency)
Check where the package appears:
```bash
npm ls <package-name>
```
## Step 3: Choose the Fix Strategy
### For Direct Dependencies
1. Check the current version in `package.json`
2. Review the changelog/release notes for breaking changes between versions
3. Update using:
```bash
npm install <package-name>@<patched-version> --save
```
### For Transitive Dependencies
1. Identify which direct dependency brings in the vulnerable package
2. Check if the direct dependency has a newer version that uses the patched transitive dependency
3. If yes, update the direct dependency
4. If no, add a resolution/override in `package.json`:
```json
{
"overrides": {
"<vulnerable-package>": "<patched-version>"
}
}
```
## Step 4: Verify the Fix
1. Run `npm ls <package-name>` to confirm the new version
2. Run the build to ensure no breaking changes:
```bash
npm run build
```
3. Run the test suite:
```bash
npm test
```
## Step 5: Handle Common Issues
### Version Conflicts
If npm reports peer dependency conflicts:
- Check if `--legacy-peer-deps` or `--force` resolves it (use cautiously)
- Consider if the conflicting package needs updating first
### Breaking Changes
If the update introduces breaking changes:
1. Read the migration guide from the package
2. Update code to accommodate API changes
3. Update tests if needed
### Multiple Vulnerabilities in Same Package
If multiple CVEs affect the same package, ensure the patched version addresses all of them before updating.
## Step 6: Commit the Changes
After verification passes, commit with a descriptive message:
```
Fix Dependabot security vulnerability in <package-name>
- Updated <package-name> from <old-version> to <new-version>
- Addresses CVE-XXXX-XXXXX (<severity>)
- <any additional context about breaking changes handled>
```
## Important Notes
- **Never skip tests** - security fixes should not break functionality
- **Review changelogs** - understand what changed between versions
- **Check for multiple alerts** - sometimes one update fixes multiple vulnerabilities
- **Document workarounds** - if you use overrides, add a comment explaining why
- For this codebase, run `npm run build` which uses gulp to build the extension
## Critical: Never Manually Edit package-lock.json Integrity Hashes
**Never manually edit integrity hashes in `package-lock.json`.** These are SHA-512 checksums of the actual tarball content from the npm registry. If you manually change them, CI builds will fail with `EINTEGRITY` errors.
### Why This Happens
When npm resolves a cached version that satisfies the constraint, it won't automatically update to a newer version even after changing `package.json`. Manually editing the lock file with an incorrect hash causes:
```
npm error code EINTEGRITY
npm error sha512-<expected>== integrity checksum failed when using sha512: wanted sha512-<expected>== but got sha512-<actual>==
```
### Correct Approach to Force Version Updates
Instead of manual edits, use one of these methods:
```bash
# Option 1: Clean install (recommended)
rm -rf node_modules
rm package-lock.json
npm install
# Option 2: Update specific package
npm update <package-name>
# Option 3: Force reinstall specific package
npm install <package-name>@<version> --save
```
These commands let npm fetch the tarball and compute the correct integrity hash automatically.