name: fix-dependencies description: Fix all vulnerabilities on the current branch using npm audit. Local branch only — no ADO/GitHub queries. user-invocable: true
Fix Dependencies
Fix all vulnerabilities on the current branch using npm audit. No user input required.
Scope: local branch only — no origin sync, no ADO queries, no Dependabot. For S360 / ADO / GitHub alerts use /security-alerts.
Step 1 — Audit
npm audit --json 2>&1
Build a fix list. For each vulnerability, apply the first matching rule:
| Condition | Action |
|---|---|
patched_version exists | Fix it — patch/minor/major all acceptable for security |
inBundle: true, parent has newer version | Upgrade parent (Strategy B) |
inBundle: true, no parent upgrade | Patch lock file directly (Strategy C) |
patched_version: null | Accept risk, document, move on |
scope: development + low severity + no patch | Accept risk, move on |
Known permanent accepted risk — do not flag: elliptic (GHSA-848j-6mx2-7j84) via rewiremock — dev-only, no patched version.
Step 2 — Fix (no pausing between fixes)
Strategy A — npm override (non-bundled transitive dep)
Add/update the entry in "overrides" in package.json, then:
npm view <pkg>@<version> version # confirm version exists
# edit package.json overrides
npm install 2>&1
npm ls <pkg> 2>&1 # confirm version took effect
Hard rules:
- Never add
"minimatch": "^3.x"as a flat override — infinite npm loop ajvoverride must stay at^6.x— v8 breaks ESLint- Do not change intentionally-pinned overrides (
nanoid,electron-to-chromium,@types/node) unless explicitly asked
Strategy B — Direct dependency bump
Update the version in dependencies or devDependencies in package.json, then npm install.
Strategy C — Lock file patch (for inBundle: true packages)
# Find all paths for the package
node -e "
const l = require('./package-lock.json');
console.log(
Object.keys(l.packages)
.filter(k => k.endsWith('/<pkg>'))
.map(k => k + ' -> ' + l.packages[k].version + ' inBundle:' + l.packages[k].inBundle)
.join('\n')
);"
# Get safe version metadata
npm view <pkg>@<patched-version> dist.tarball dist.integrity --json
# Patch all matching entries
node -e "
const fs = require('fs');
const l = require('./package-lock.json');
Object.keys(l.packages)
.filter(k => k.endsWith('/<pkg>'))
.forEach(k => {
l.packages[k].version = '<patched-version>';
l.packages[k].resolved = '<tarball-url>';
l.packages[k].integrity = '<integrity>';
});
fs.writeFileSync('./package-lock.json', JSON.stringify(l, null, 2) + '\n');
console.log('Patched');
"
npm install 2>&1
Strategy D — Accept risk
Document in final summary. Do not block or ask.
Step 3 — Verify
npm audit 2>&1
npm run ci 2>&1
npm run ci functional tests will fail locally (require PA_BT_ORG_PASSWORD) — expected, not a blocker.
If npm run ci fails on a non-functional-test step (TypeScript error, lint, unit test), fix it and re-run before continuing. Do not commit a broken build.
Step 4 — Commit and PR (only if Step 3 passes)
git add package.json package-lock.json
git status # confirm nothing accidental staged
git commit -m "chore: fix dependency vulnerabilities"
Then run /create-pr to create the pull request.
Final Summary
Print before handing off to /create-pr:
- Fixed: package, old → new version, strategy used
- Accepted risk: package, GHSA ID, reason