Stats
Actions
Tags
From devline
Patch CVE vulnerabilities across one or many repositories. Invoke with a list of CVEs and optionally specific repo names. Researches each CVE (affected package, ecosystem, versions), then launches dependency-patcher agents to update, verify, commit, and push. Use this skill whenever the user mentions CVEs, security vulnerabilities in dependencies, patching dependencies, or updating packages for security fixes — even if they don't say 'CVE' explicitly but reference a security advisory or vulnerable dependency.
How this skill is triggered — by the user, by Claude, or both
Slash command
/devline:cve-patcherThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
Orchestrates CVE vulnerability patching across one or many repositories. This is a launcher skill — it handles research and orchestration, then delegates the actual patching to **dependency-patcher** agents.
Orchestrates CVE vulnerability patching across one or many repositories. This is a launcher skill — it handles research and orchestration, then delegates the actual patching to dependency-patcher agents.
Extract from the user's arguments:
CVE-\d{4}-\d{4,} (case-insensitive)--repos is present, everything after it is a repository name. If not provided, auto-detect in Step 3.Examples:
CVE-2024-38816 CVE-2024-22243
CVE-2024-38816 --repos my-api billing-service
For each CVE, use WebSearch to gather:
Research multiple CVEs in parallel using separate WebSearch calls in the same message.
Good queries: "CVE-XXXX-XXXXX" affected versions fix, NVD (nvd.nist.gov), GitHub Advisory Database.
Present a summary table to the user before proceeding:
| CVE | Package | Ecosystem | Affected | Fix | Severity | Major? |
|------------------|------------------|-----------|------------------|-----------|----------|--------|
| CVE-2024-38816 | spring-webmvc | Maven | < 6.1.13 | 6.1.13 | High | No |
| CVE-2024-22243 | spring-web | Maven | < 6.1.4 | 6.1.4 | Medium | No |
If any CVE requires a major version bump, flag it and ask the user how to proceed before continuing. Do not include major-bump CVEs in the agent dispatch unless the user approves.
Determine the working context:
.git/ → patch it directly--reposFor multi-repo with no --repos filter and more than 10 repos, list them and confirm with the user first.
Check .claude/devline.local.md in each repo for CVE-specific verification settings:
| CVE setting | Maps to | Default |
|---|---|---|
cve_verify_build | dep_verify_build | true |
cve_verify_tests | dep_verify_tests | true |
Git workflow (branch, commit, push) is not configurable — CVE patching always follows the fixed workflow described in Step 5.
Every dependency-patcher agent MUST follow this exact git workflow:
git symbolic-ref refs/remotes/origin/HEAD, fall back to main then master)git pull)fix/cve-[first-CVE-ID] (lowercase, e.g. fix/cve-2024-38816)chore(deps): [comma-separated CVE IDs]Launch one dependency-patcher agent with:
Patch the following CVEs in this repository:
[CVE research table]
Repository: [absolute path]
Git workflow:
1. Checkout the default branch and pull latest
2. Create branch: fix/[first-CVE-ID]
3. Apply updates
4. Verify build/tests
5. Commit with message: chore(deps): [comma-separated CVE IDs]
6. Do NOT push — stop after committing
Settings: dep_auto_push=false, dep_branch_strategy=branch, [any verification overrides from devline.local.md]
Launch one dependency-patcher agent per repository, all in parallel (background). Each agent gets:
Wait for all agents to complete.
After all agents report back, compile a summary:
| Repository | CVEs Patched | CVEs Skipped (not affected) | Branch | Issues |
|------------------|------------------------|-----------------------------|---------------------|------------|
| my-api | CVE-2024-38816 | CVE-2024-22243 | fix/cve-2024-38816 | — |
| billing-service | CVE-2024-38816, -22243 | — | fix/cve-2024-38816 | — |
| auth-service | — | CVE-2024-38816, -22243 | — | — |
| legacy-app | — | — | — | Tests fail |
If any repos had issues (test failures, verification errors), report them clearly before presenting options.
Then, for each repository that has successful patches, ask the user how they want to deliver the changes:
How would you like to deliver these changes?
1. **Create a PR** — push the branch and open a pull request (requires remote access)
2. **Squash merge locally** — squash-merge the fix branch into the default branch locally (no remote interaction)
3. **Exit** — leave the fix branch as-is and print the changes so you can handle it manually
Option 1 — Create a PR:
git push -u origin [branch-name]gh pr create with:
chore(deps): patch [CVE IDs]Option 2 — Squash merge locally:
git merge --squash [fix-branch]chore(deps): [CVE IDs]git branch -d [fix-branch]Option 3 — Exit:
git diff --stat [default-branch]..[fix-branch])In multi-repo mode, apply the same option to all repos unless the user requests per-repo handling.
npx claudepluginhub conava/claude-devline --plugin devlineScans projects for outdated npm/pip/Cargo/Go/Ruby packages. Runs CVE audit, fetches changelogs, summarizes breaking changes with Gemini, and opens one PR per risk group (patch/minor/major).
Generates actionable remediation plans for vulnerable Go codebases, including dependency updates, code refactoring, workarounds, configuration changes, and verification steps. Use after CVE impact analysis.
Mines GitHub Security Advisories and NVD CVE databases for incomplete fixes, identifying variant vulnerabilities in patched code and similar patterns in related packages. Useful for high-acceptance-rate security findings.