>Agent Skill

@microsoft/fix-dependabot-alerts

skill✓security

Fix Dependabot security alerts by updating vulnerable npm dependencies. Use when the user mentions "dependabot", "security alerts", "vulnerability", "CVE", or wants to update packages with security issues.

javascriptapi-designsecurity

apm::install

$apm install @microsoft/fix-dependabot-alerts

apm::skill.md

---
name: fix-dependabot-alerts
description: Fix Dependabot security alerts by updating vulnerable npm dependencies. Use when the user mentions "dependabot", "security alerts", "vulnerability", "CVE", or wants to update packages with security issues.
argument-hint: "[alert-number or package-name]"
---

# Fix Dependabot Security Alerts

You are tasked with fixing Dependabot security alerts for this repository. Follow these steps carefully to resolve vulnerabilities while minimizing risk.

## Step 1: Identify the Vulnerability

If a specific alert number or package name was provided, focus on that. Otherwise, check for open alerts:

```bash
gh api repos/microsoft/powerplatform-vscode/dependabot/alerts --jq '.[] | select(.state=="open") | {number, package: .security_vulnerability.package.name, severity: .security_vulnerability.severity, vulnerable_versions: .security_vulnerability.vulnerable_version_range, patched_versions: .security_vulnerability.first_patched_version.identifier, summary: .security_advisory.summary}'
```

To get details on a specific alert:
```bash
gh api repos/microsoft/powerplatform-vscode/dependabot/alerts/<alert-number>
```

## Step 2: Analyze the Dependency

Determine if the vulnerable package is:
- A **direct dependency** (listed in `package.json`)
- A **transitive dependency** (dependency of a dependency)

Check where the package appears:
```bash
npm ls <package-name>
```

## Step 3: Choose the Fix Strategy

### For Direct Dependencies

1. Check the current version in `package.json`
2. Review the changelog/release notes for breaking changes between versions
3. Update using:
   ```bash
   npm install <package-name>@<patched-version> --save
   ```

### For Transitive Dependencies

1. Identify which direct dependency brings in the vulnerable package
2. Check if the direct dependency has a newer version that uses the patched transitive dependency
3. If yes, update the direct dependency
4. If no, add a resolution/override in `package.json`:
   ```json
   {
     "overrides": {
       "<vulnerable-package>": "<patched-version>"
     }
   }
   ```

## Step 4: Verify the Fix

1. Run `npm ls <package-name>` to confirm the new version
2. Run the build to ensure no breaking changes:
   ```bash
   npm run build
   ```
3. Run the test suite:
   ```bash
   npm test
   ```

## Step 5: Handle Common Issues

### Version Conflicts

If npm reports peer dependency conflicts:
- Check if `--legacy-peer-deps` or `--force` resolves it (use cautiously)
- Consider if the conflicting package needs updating first

### Breaking Changes

If the update introduces breaking changes:
1. Read the migration guide from the package
2. Update code to accommodate API changes
3. Update tests if needed

### Multiple Vulnerabilities in Same Package

If multiple CVEs affect the same package, ensure the patched version addresses all of them before updating.

## Step 6: Commit the Changes

After verification passes, commit with a descriptive message:
```
Fix Dependabot security vulnerability in <package-name>

- Updated <package-name> from <old-version> to <new-version>
- Addresses CVE-XXXX-XXXXX (<severity>)
- <any additional context about breaking changes handled>
```

## Important Notes

- **Never skip tests** - security fixes should not break functionality
- **Review changelogs** - understand what changed between versions
- **Check for multiple alerts** - sometimes one update fixes multiple vulnerabilities
- **Document workarounds** - if you use overrides, add a comment explaining why
- For this codebase, run `npm run build` which uses gulp to build the extension

## Critical: Never Manually Edit package-lock.json Integrity Hashes

**Never manually edit integrity hashes in `package-lock.json`.** These are SHA-512 checksums of the actual tarball content from the npm registry. If you manually change them, CI builds will fail with `EINTEGRITY` errors.

### Why This Happens

When npm resolves a cached version that satisfies the constraint, it won't automatically update to a newer version even after changing `package.json`. Manually editing the lock file with an incorrect hash causes:

```
npm error code EINTEGRITY
npm error sha512-<expected>== integrity checksum failed when using sha512: wanted sha512-<expected>== but got sha512-<actual>==
```

### Correct Approach to Force Version Updates

Instead of manual edits, use one of these methods:

```bash
# Option 1: Clean install (recommended)
rm -rf node_modules
rm package-lock.json
npm install

# Option 2: Update specific package
npm update <package-name>

# Option 3: Force reinstall specific package
npm install <package-name>@<version> --save
```

These commands let npm fetch the tarball and compute the correct integrity hash automatically.