Stats
Actions
Tags
How this command is triggered — by the user, by Claude, or both
Slash command
/mx:dependabot-triageThis command is limited to the following tools:
The summary Claude sees in its command listing — used to decide when to auto-load this command
Triage open Dependabot alerts for the current repository. The goal is distinguishing real vulnerabilities from noise — most Dependabot alerts on transitive dependencies are not exploitable. ## Fetch If zero open alerts, say so and stop. ## Trace each alert For each alert, trace the dependency to understand how it enters the project: - **npm**: `npm ls <package>` in the directory containing the manifest - **pip**: check pyproject.toml, requirements files, or `uv pip list` Then classify: | Classification | Meaning | |---|---| | **Exploitable** | Runs in prod, processes untrusted inpu...
Triage open Dependabot alerts for the current repository. The goal is distinguishing real vulnerabilities from noise — most Dependabot alerts on transitive dependencies are not exploitable.
gh api -X GET repos/{owner}/{repo}/dependabot/alerts --jq '.[] | select(.state == "open") | {number, severity: .security_advisory.severity, package: .security_vulnerability.package.name, ecosystem: .security_vulnerability.package.ecosystem, summary: .security_advisory.summary, cve: .security_advisory.cve_id, manifest: .dependency.manifest_path}'
If zero open alerts, say so and stop.
For each alert, trace the dependency to understand how it enters the project:
npm ls <package> in the directory containing the manifestuv pip listThen classify:
| Classification | Meaning |
|---|---|
| Exploitable | Runs in prod, processes untrusted input, vulnerability is reachable |
| Theoretical | Runs in prod but attack vector is implausible for our usage |
| Build-only | devDependencies, CI tools, linters, bundler plugins |
| Tree-shaken | In dep tree but bundler (Vite/webpack) strips it from runtime output |
| Unused path | Transitive dep via a code path we don't exercise |
Key questions: Is it direct or transitive? Does it run at runtime or only during build/test? For frontend JS — does it end up in the browser bundle? Does our code use the vulnerable function?
Present a table, one row per alert. Keep reasoning to one specific sentence — "transitive of X via Y, only used in Z" not "low risk".
| # | Sev | Package | Manifest | Classification | Reasoning |
Dismiss Build-only, Tree-shaken, and Unused path alerts:
gh api -X PATCH repos/{owner}/{repo}/dependabot/alerts/{number} \
-f state=dismissed -f dismissed_reason=not_used \
-f dismissed_comment="<one-sentence reason>"
Valid dismiss reasons: fix_started, inaccurate, no_bandwidth, not_used, tolerable_risk. Use not_used for tree-shaken/build-only, tolerable_risk for theoretical.
Don't dismiss Exploitable or Theoretical alerts. For those, summarize what updating would involve.
Always ask for confirmation before dismissing. Present the table, get a yes, then dismiss.
npx claudepluginhub maxwolf-01/agents --plugin mx/deps-auditScans project dependencies for vulnerabilities, outdated packages, license conflicts, and supply chain risks, then provides actionable remediation strategies.
/dependenciesScans project dependencies for CVE vulnerabilities across 11 package managers (npm, pip, cargo, bundler, etc.), generates risk scores, and provides fix recommendations.
/supplyRuns software composition analysis — checks dependencies for known vulnerabilities, generates SBOMs, monitors for new CVEs, and analyzes license compliance.