Stats
Actions
Tags
From drk-skills
Fix CVEs in project dependencies end-to-end. Use when the user wants to fix a security vulnerability, mentions a CVE ID, runs a security audit and finds vulnerabilities, or asks why their build is failing due to a security check. Surface the CVE, trace the affected dependency to its version source, research the fix online, upgrade if a patched version exists, suppress only as a last resort. Works across Maven, npm, Go, Python, Rust, and Ruby projects.
How this skill is triggered — by the user, by Claude, or both
Slash command
/drk-skills:cve-fixThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
Security audits surface CVEs but don't fix them. This skill picks up from there: find the vulnerable component, research the fix, upgrade or suppress it, and verify the build passes clean.
Security audits surface CVEs but don't fix them. This skill picks up from there: find the vulnerable component, research the fix, upgrade or suppress it, and verify the build passes clean.
Run the security audit for the project. If the CVE is already known from a failing build output, skip ahead to Step 2.
See Language Playbooks below for the exact command per ecosystem. Look for:
CVE-2026-5588If multiple CVEs are found, address them one at a time starting with the highest severity.
Find where the vulnerable version is pinned in the project. The component may be a direct dependency or a transitive one pulled in by something else.
See Language Playbooks for the tracing command. Parse the output to identify:
pom.xml, package.json, go.mod)${bouncycastle.version}) — in that case, update the property, not the individual dependency entrySearch online for the CVE to understand what you're fixing:
CVE-<ID> <package-name> affected versions fixhttps://ossindex.sonatype.org/vulnerability/CVE-<ID>https://nvd.nist.gov/vuln/detail/CVE-<ID>Extract:
Check what versions are available for the package:
Prefer upgrading. If a patched version exists, always upgrade — even if it's a major version bump. A suppression that masks a real vulnerability is not a fix.
Suppress only when:
When suppressing, always add a comment with the CVE ID, the reason, and a date — so it can be revisited when a fix ships.
Edit the version in the manifest file identified in Step 2. If the version is controlled by a property variable, update the property. If it's a transitive dependency with no direct pin, add an explicit version override (see Language Playbooks for how to do this per ecosystem).
Add the CVE to the project's exclusion/ignore list. See Language Playbooks for the exact mechanism per ecosystem. Include a comment with the CVE ID, a brief reason, and today's date.
Re-run the security audit to confirm the CVE no longer appears. Then run the full build to make sure nothing broke.
See Language Playbooks for verify commands.
If the build fails after upgrading:
Summarize:
Surface CVEs:
mvn ossindex:audit
Trace version source:
# Replace <artifactId> with the vulnerable artifact
mvn help:effective-pom -Dverbose | grep <artifactId> -B2 -A2
The comment after each line shows which pom.xml and line number defines it.
Upgrade:
<properties> block, update the property value.<dependencyManagement> entry in the root pom.xml to force the patched version.Suppress (ossindex-maven-plugin):
Add to the plugin's <configuration> in pom.xml:
<excludeCoordinates>
<!-- CVE-XXXX-YYYY: no patched version available as of YYYY-MM-DD -->
<exclude>
<id>pkg:maven/org.example/[email protected]</id>
</exclude>
</excludeCoordinates>
Verify:
mvn clean compile
Surface CVEs:
npm audit
Trace version source:
# Find what pulls in the vulnerable package
npm ls <package-name>
This shows the full dependency tree path.
Upgrade:
package.json and run npm install.npm audit fix
npm audit fix can't resolve it, add an overrides entry to package.json:
"overrides": {
"<package-name>": "<patched-version>"
}
resolutions instead of overrides.Suppress: There is no standard npm-native suppression mechanism. Options:
.nsprc or audit-resolve.json (if using better-npm-audit)package.jsonnpm audit --audit-level=high to adjust the failing thresholdVerify:
npm audit
npm run build
npm test
Surface CVEs:
govulncheck ./...
If govulncheck is not installed: go install golang.org/x/vuln/cmd/govulncheck@latest
Trace version source:
# Find what requires the vulnerable module
go mod why <module-path>
# Check current version
grep <module-path> go.mod
Upgrade:
go get <module-path>@<patched-version>
go mod tidy
If it's a transitive dependency, upgrade the direct parent that pulls it in, or add a direct require for the vulnerable module at the patched version.
Suppress:
Add to the govulncheck ignore list:
# In your CI/CD or Makefile:
govulncheck -ignore <CVE-ID> ./...
Or use a govulncheck.yaml config file if supported by your version.
Verify:
govulncheck ./...
go build ./...
go test ./...
Surface CVEs:
pip-audit
# or:
safety check
Trace version source:
pip show <package-name>
grep -r <package-name> requirements*.txt pyproject.toml setup.cfg
Upgrade:
Update the version pin in requirements.txt or pyproject.toml, then:
pip install -r requirements.txt
# or:
pip install --upgrade <package-name>
Suppress:
# pip-audit ignore:
pip-audit --ignore-vuln CVE-XXXX-YYYY
# Or add to pyproject.toml:
# [tool.pip-audit]
# ignore-vulns = ["CVE-XXXX-YYYY"]
Verify:
pip-audit
python -m pytest
Surface CVEs:
cargo audit
If not installed: cargo install cargo-audit
Trace version source:
# Show full dependency tree for the vulnerable crate
cargo tree -i <crate-name>
Upgrade:
# Upgrade a specific crate to a precise version
cargo update -p <crate-name> --precise <patched-version>
If the crate is a direct dependency, also update Cargo.toml.
Suppress:
Create or edit .cargo/audit.toml:
[advisories]
ignore = [
# CVE-XXXX-YYYY: no patched version available as of YYYY-MM-DD
"RUSTSEC-XXXX-XXXX",
]
Verify:
cargo audit
cargo build
cargo test
Surface CVEs:
bundle audit check --update
If not installed: gem install bundler-audit
Trace version source:
# Show what requires the vulnerable gem
bundle exec gem dependency <gem-name>
grep <gem-name> Gemfile Gemfile.lock
Upgrade:
Update the version constraint in Gemfile, then:
bundle update <gem-name>
Suppress:
bundle audit check --ignore CVE-XXXX-YYYY
Or add to .bundlerauditrc:
ignore:
- CVE-XXXX-YYYY
Verify:
bundle audit check --update
bundle exec rspec
| Ecosystem | Surface | Trace | Verify |
|---|---|---|---|
| Maven | mvn ossindex:audit | mvn help:effective-pom -Dverbose | grep <artifactId> -B2 -A2 | mvn clean compile |
| npm | npm audit | npm ls <pkg> | npm audit |
| Go | govulncheck ./... | go mod why <module> | govulncheck ./... |
| Python | pip-audit | pip show <pkg> | pip-audit |
| Rust | cargo audit | cargo tree -i <crate> | cargo audit |
| Ruby | bundle audit | bundle exec gem dependency <gem> | bundle audit |
Provides UI/UX resources: 50+ styles, color palettes, font pairings, guidelines, charts for web/mobile across React, Next.js, Vue, Svelte, Tailwind, React Native, Flutter. Aids planning, building, reviewing interfaces.
Fetches up-to-date documentation from Context7 for libraries and frameworks like React, Next.js, Prisma. Use for setup questions, API references, and code examples.
npx claudepluginhub d-rk/claude-skills --plugin renovate