Stats
Actions
Tags
From plan-review
Resolve GitHub Dependabot security alerts by updating vulnerable dependencies, recompiling requirements, and submitting PRs. Use when working on dependabot alerts, security vulnerabilities, or dependency patching.
How this skill is triggered — by the user, by Claude, or both
Slash command
/plan-review:resolve-dependabotThis skill is limited to the following tools:
The summary Claude sees in its skill listing — used to decide when to auto-load this skill
Resolve open Dependabot security alerts for this repository.
Resolve open Dependabot security alerts for this repository.
REPO=$(gh repo view --json nameWithOwner -q .nameWithOwner)
DEFAULT_BRANCH=$(gh repo view --json defaultBranchRef -q .defaultBranchRef.name)
If $SHIPAWARE_DOCS_PATH is set, read the runbook for additional edge-case context:
$SHIPAWARE_DOCS_PATH/shipAware/ops/runbooks/dependabot-critical-patches.mdVerify the active Python version matches the Dockerfile target:
DOCKERFILE_PYTHON=$(grep -oP 'FROM python:\K[0-9]+\.[0-9]+' compose/local/django/Dockerfile 2>/dev/null | head -1)
ACTIVE_PYTHON=$(python3 -c "import sys; print(f'{sys.version_info.major}.{sys.version_info.minor}')")
$DOCKERFILE_PYTHON is empty (no Dockerfile or no match), log a warning and continue.Python version mismatch. Dockerfile requires Python
$DOCKERFILE_PYTHONbut active environment is Python$ACTIVE_PYTHON. Requirements compiled with the wrong version produce incorrect platform markers. Fix: activate a Python$DOCKERFILE_PYTHONvirtual environment, then re-run.
Fetch all open Dependabot alerts:
gh api "repos/${REPO}/dependabot/alerts" --jq '[.[] | select(.state=="open") | {number: .number, severity: .security_advisory.severity, package: .security_vulnerability.package.name, current_version: .security_vulnerability.first_patched_version.identifier, vulnerable_range: .security_vulnerability.vulnerable_version_range, manifest: .dependency.manifest_path, cve: (.security_advisory.cve_id // .security_advisory.ghsa_id), summary: .security_advisory.summary}]'
If $ARGUMENTS contains a severity filter (e.g. critical, high, medium, low), filter to only that severity. Otherwise show all open alerts.
Present a summary table sorted by severity (critical > high > medium > low):
| # | Severity | Package | Vulnerable Range | Fixed Version | Manifest | CVE/GHSA | Summary |
|---|
Ask the user which severity tier(s) to resolve. Suggest starting with the highest severity.
For each selected severity tier (starting with the highest), repeat steps 2a–2e.
git checkout ${DEFAULT_BRANCH} && git pull origin ${DEFAULT_BRANCH}
git status --porcelain). If not, ask user how to proceed.security/<package-names> where <package-names> is a dash-separated list of the affected packages in this tier (e.g. security/jinja2-werkzeug).For each alert in this tier, determine if the package is a direct or transitive dependency:
grep -r "^<package-name>" requirements/*.in
.in file): Edit the .in file to update the version pin to the fixed version..in file): Run:
python compose/local/compile_requirements.py -P <package-name>
For direct dependency changes, recompile without the --upgrade flag:
python compose/local/compile_requirements.py
After recompilation, verify the fix:
git diff requirements/
grep <package-name> requirements/*.txt
Confirm the resolved versions match or exceed Dependabot's recommended fix versions.
fix: patch <severity> vulnerabilities in <packages>
- <CVE-1>: <package> <old-version> -> <new-version>
- <CVE-2>: <package> <old-version> -> <new-version>
gh pr create --base ${DEFAULT_BRANCH} --title "fix: patch <severity> dependabot vulnerabilities in <packages>" --body "$(cat <<'EOF'
## Security Patch — <Severity> Vulnerabilities
### Changes
- <package>: <old-version> → <new-version>
### Advisories
- [<CVE/GHSA>](<advisory-url>): <summary>
### Notes
- Requirements recompiled via `compile_requirements.py`
- CI will validate tests automatically
EOF
)"
security label:
gh pr edit --add-label security
git checkout ${DEFAULT_BRANCH}
Prepare for the next severity tier if applicable.
Present a final summary of all PRs created:
| Severity | Packages | PR | Link |
|---|
Note that CI will automatically validate tests for each PR.
Creates, edits, and optimizes skills for Claude Code, including drafting, evaluating with test prompts, iterating on performance, and improving skill descriptions for better triggering accuracy.
npx claudepluginhub market-math/mm-claude-plugin --plugin plan-review