Stats
Actions
Tags
From superpowers-plus
Scans project dependencies for CVEs, upgrades vulnerable packages, validates compilation and tests, then commits and pushes fixes. Supports npm, Go, Python, Rust, and Flutter.
How this skill is triggered — by the user, by Claude, or both
Slash command
/superpowers-plus:security-upgradeThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
> **Last Updated:** 2026-01-31
Last Updated: 2026-01-31
Wrong skill? Full repo security scan (secrets, code patterns) →
repo-security-scan. Public repo IP leakage →public-repo-ip-audit. Wiki content secrets →wiki-secret-audit.
This skill provides a systematic workflow for security dependency auditing and upgrading. Use it to scan for CVEs, upgrade vulnerable packages, validate changes, and commit fixes.
Supported package managers: npm, Go modules, pip, Cargo, Flutter/pub
Identify what package managers are in use:
# Find all dependency manifests
find . -name "package.json" -not -path "*/node_modules/*" -exec dirname {} \;
find . -name "go.mod" -exec dirname {} \;
find . -name "pubspec.yaml" -exec dirname {} \;
find . -name "requirements.txt" -exec dirname {} \;
find . -name "Cargo.toml" -exec dirname {} \;
npm audit --json
# For monorepos
find . -name "package.json" -not -path "*/node_modules/*" \
-exec sh -c 'echo "=== $(dirname {}) ===" && cd $(dirname {}) && npm audit' \;
# Install if needed
go install golang.org/x/vuln/cmd/govulncheck@latest
# Scan
~/go/bin/govulncheck .
# Verbose with fix recommendations
~/go/bin/govulncheck -show verbose .
pip install pip-audit
pip-audit
pip-audit -r requirements.txt
cargo install cargo-audit
cargo audit
flutter pub outdated
| Language | Upgrade | Build | Test |
|---|---|---|---|
| Go | go get <pkg>@<ver> && go mod tidy | go build -o /dev/null . | go test ./... |
| npm | npm audit fix [--force] | npm run build | npm test |
| Python | pip install --upgrade <pkg> | — | pytest |
| Rust | cargo update <pkg> | cargo build | cargo test |
| Flutter | update pubspec.yaml | flutter build web --release | flutter test |
Build → test → security re-scan. Expected: "No vulnerabilities found."
git commit -m "security: upgrade dependencies to fix CVEs
<Package> <old-version> → <new-version> (CVE-XXXX-XXXXX)
- Brief description of vulnerability fixed
Validation: All tests passing"
git push origin main
--force flags without explicit user approval|| true to suppress test failuresIf tests fail after an upgrade, the correct response is:
If govulncheck panics:
If validation fails:
If breaking changes introduced:
| Failure | Fix |
|---|---|
npm audit fix --force silently introducing major version bumps | Review what --force will change BEFORE running; prefer npm audit fix first |
| Upgrading to version with breaking API changes without reading changelog | Check release notes/changelog for breaking changes before upgrading |
| Skipping transitive/indirect vulnerability fixes | Scan output includes indirect deps — trace and fix the root dependency |
| Tests pass locally but CI fails due to environment differences | Run full CI after push; don't declare "fixed" until CI confirms |
npx claudepluginhub bordenet/superpowers-plus --plugin superpowers-plusGuides creation, editing, and verification of skills for AI coding agents using test-driven development with subagent scenarios. Use when authoring or debugging skills.