M
MCP.directory

fix-dependabot-alerts

by microsoft
17
0
Source

Fix Dependabot security alerts by updating vulnerable npm dependencies. Use when the user mentions "dependabot", "security alerts", "vulnerability", "CVE", or wants to update packages with security issues.

Install

mkdir -p .claude/skills/fix-dependabot-alerts && curl -L -o skill.zip "https://mcp.directory/api/skills/download/1887" && unzip -o skill.zip -d .claude/skills/fix-dependabot-alerts && rm skill.zip

Installs to .claude/skills/fix-dependabot-alerts

About this skill

Fix Dependabot Security Alerts

You are tasked with fixing Dependabot security alerts for this repository. Follow these steps carefully to resolve vulnerabilities while minimizing risk.

Step 1: Identify the Vulnerability

If a specific alert number or package name was provided, focus on that. Otherwise, check for open alerts:

gh api repos/microsoft/powerplatform-vscode/dependabot/alerts --jq '.[] | select(.state=="open") | {number, package: .security_vulnerability.package.name, severity: .security_vulnerability.severity, vulnerable_versions: .security_vulnerability.vulnerable_version_range, patched_versions: .security_vulnerability.first_patched_version.identifier, summary: .security_advisory.summary}'

To get details on a specific alert:

gh api repos/microsoft/powerplatform-vscode/dependabot/alerts/<alert-number>

Step 2: Analyze the Dependency

Determine if the vulnerable package is:

  • A direct dependency (listed in package.json)
  • A transitive dependency (dependency of a dependency)

Check where the package appears:

npm ls <package-name>

Step 3: Choose the Fix Strategy

For Direct Dependencies

  1. Check the current version in package.json
  2. Review the changelog/release notes for breaking changes between versions
  3. Update using: 
    npm install <package-name>@<patched-version> --save

For Transitive Dependencies

  1. Identify which direct dependency brings in the vulnerable package
  2. Check if the direct dependency has a newer version that uses the patched transitive dependency
  3. If yes, update the direct dependency
  4. If no, add a resolution/override in package.json: 
    {
  "overrides": {
    "<vulnerable-package>": "<patched-version>"
  }
}

Step 4: Verify the Fix

  1. Run npm ls <package-name> to confirm the new version
  2. Run the build to ensure no breaking changes: 
    npm run build
  3. Run the test suite: 
    npm test

Step 5: Handle Common Issues

Version Conflicts

If npm reports peer dependency conflicts:

  • Check if --legacy-peer-deps or --force resolves it (use cautiously)
  • Consider if the conflicting package needs updating first

Breaking Changes

If the update introduces breaking changes:

  1. Read the migration guide from the package
  2. Update code to accommodate API changes
  3. Update tests if needed

Multiple Vulnerabilities in Same Package

If multiple CVEs affect the same package, ensure the patched version addresses all of them before updating.

Step 6: Commit the Changes

After verification passes, commit with a descriptive message:

Fix Dependabot security vulnerability in <package-name>

- Updated <package-name> from <old-version> to <new-version>
- Addresses CVE-XXXX-XXXXX (<severity>)
- <any additional context about breaking changes handled>

Important Notes

  • Never skip tests - security fixes should not break functionality
  • Review changelogs - understand what changed between versions
  • Check for multiple alerts - sometimes one update fixes multiple vulnerabilities
  • Document workarounds - if you use overrides, add a comment explaining why
  • For this codebase, run npm run build which uses gulp to build the extension

Critical: Never Manually Edit package-lock.json Integrity Hashes

Never manually edit integrity hashes in package-lock.json. These are SHA-512 checksums of the actual tarball content from the npm registry. If you manually change them, CI builds will fail with EINTEGRITY errors.

Why This Happens

When npm resolves a cached version that satisfies the constraint, it won't automatically update to a newer version even after changing package.json. Manually editing the lock file with an incorrect hash causes:

npm error code EINTEGRITY
npm error sha512-<expected>== integrity checksum failed when using sha512: wanted sha512-<expected>== but got sha512-<actual>==

Correct Approach to Force Version Updates

Instead of manual edits, use one of these methods:

# Option 1: Clean install (recommended)
rm -rf node_modules
rm package-lock.json
npm install

# Option 2: Update specific package
npm update <package-name>

# Option 3: Force reinstall specific package
npm install <package-name>@<version> --save

These commands let npm fetch the tarball and compute the correct integrity hash automatically.

More by microsoft

View all →

playwright-cli

microsoft

Automates browser interactions for web testing, form filling, screenshots, and data extraction. Use when the user needs to navigate websites, interact with web pages, fill forms, take screenshots, test web applications, or extract information from web pages.

476

react-flow-node-ts

microsoft

Create React Flow node components with TypeScript types, handles, and Zustand integration. Use when building custom nodes for React Flow canvas, creating visual workflow editors, or implementing node-based UI components.

141

azure-communication-chat-java

microsoft

Build real-time chat applications with Azure Communication Services Chat Java SDK. Use when implementing chat threads, messaging, participants, read receipts, typing notifications, or real-time chat features.

00

agent-framework-azure-ai-py

microsoft

Build Azure AI Foundry agents using the Microsoft Agent Framework Python SDK (agent-framework-azure-ai). Use when creating persistent agents with AzureAIAgentsProvider, using hosted tools (code interpreter, file search, web search), integrating MCP servers, managing conversation threads, or implementing streaming responses. Covers function tools, structured outputs, and multi-tool agents.

00

azure-eventhub-dotnet

microsoft

Azure Event Hubs SDK for .NET. Use for high-throughput event streaming: sending events (EventHubProducerClient, EventHubBufferedProducerClient), receiving events (EventProcessorClient with checkpointing), partition management, and real-time data ingestion. Triggers: "Event Hubs", "event streaming", "EventHubProducerClient", "EventProcessorClient", "send events", "receive events", "checkpointing", "partition".

00

wiki-changelog

microsoft

Analyzes git commit history and generates structured changelogs categorized by change type. Use when the user asks about recent changes, wants a changelog, or needs to understand what changed in the repository.

240

You might also like

flutter-development

aj-geddes

Build beautiful cross-platform mobile apps with Flutter and Dart. Covers widgets, state management with Provider/BLoC, navigation, API integration, and material design.

272785

drawio-diagrams-enhanced

jgtolentino

Create professional draw.io (diagrams.net) diagrams in XML format (.drawio files) with integrated PMP/PMBOK methodologies, extensive visual asset libraries, and industry-standard professional templates. Use this skill when users ask to create flowcharts, swimlane diagrams, cross-functional flowcharts, org charts, network diagrams, UML diagrams, BPMN, project management diagrams (WBS, Gantt, PERT, RACI), risk matrices, stakeholder maps, or any other visual diagram in draw.io format. This skill includes access to custom shape libraries for icons, clipart, and professional symbols.

203415

godot

bfollington

This skill should be used when working on Godot Engine projects. It provides specialized knowledge of Godot's file formats (.gd, .tscn, .tres), architecture patterns (component-based, signal-driven, resource-based), common pitfalls, validation tools, code templates, and CLI workflows. The `godot` command is available for running the game, validating scripts, importing resources, and exporting builds. Use this skill for tasks involving Godot game development, debugging scene/resource files, implementing game systems, or creating new Godot components.

196279

nano-banana-pro

garg-aayush

Generate and edit images using Google's Nano Banana Pro (Gemini 3 Pro Image) API. Use when the user asks to generate, create, edit, modify, change, alter, or update images. Also use when user references an existing image file and asks to modify it in any way (e.g., "modify this image", "change the background", "replace X with Y"). Supports both text-to-image generation and image-to-image editing with configurable resolution (1K default, 2K, or 4K for high resolution). DO NOT read the image file first - use this skill directly with the --input-image parameter.

209231

ui-ux-pro-max

nextlevelbuilder

"UI/UX design intelligence. 50 styles, 21 palettes, 50 font pairings, 20 charts, 8 stacks (React, Next.js, Vue, Svelte, SwiftUI, React Native, Flutter, Tailwind). Actions: plan, build, create, design, implement, review, fix, improve, optimize, enhance, refactor, check UI/UX code. Projects: website, landing page, dashboard, admin panel, e-commerce, SaaS, portfolio, blog, mobile app, .html, .tsx, .vue, .svelte. Elements: button, modal, navbar, sidebar, card, table, form, chart. Styles: glassmorphism, claymorphism, minimalism, brutalism, neumorphism, bento grid, dark mode, responsive, skeuomorphism, flat design. Topics: color palette, accessibility, animation, layout, typography, font pairing, spacing, hover, shadow, gradient."

167197

rust-coding-skill

UtakataKyosui

Guides Claude in writing idiomatic, efficient, well-structured Rust code using proper data modeling, traits, impl organization, macros, and build-speed best practices.

164173

Stay ahead of the MCP ecosystem

Get weekly updates on new skills and servers.