fix-security-vulnerability

por sentry

Analyze and propose fixes for Dependabot security alerts

npx skills add https://github.com/getsentry/sentry-changelog --skill fix-security-vulnerability

Fix Security Vulnerability Skill

Analyze Dependabot security alerts and propose fixes for the sentry-changelog Next.js app. Does NOT auto-commit - always presents analysis first and waits for user approval.

Input

  • Dependabot URL: https://github.com/getsentry/sentry-changelog/security/dependabot/12
  • Or just the alert number: 12

Workflow

Step 1: Fetch Vulnerability Details

gh api repos/getsentry/sentry-changelog/dependabot/alerts/<alert-number>

Extract: package name, vulnerable/patched versions, CVE ID, severity, description.

Step 2: Analyze Dependency Tree

pnpm why <package-name>

Determine if it's a direct or transitive dependency, and whether it's production or dev.

Step 3: Determine Fix Strategy

Check for pinned dependencies

Some dependencies are intentionally pinned due to compatibility constraints. Check package.json comments (the "//" field) for pin reasons before bumping.

Known pins:

  • google-auth-library - Pinned to v9.x to match @google-cloud/storage's bundled version (v10.x breaks Vercel OIDC auth)

For other dependencies

TypeAction
Patch bump availablePreferred - lowest risk
Minor bump neededUsually safe
Major bump neededAnalyze breaking changes first
Transitive dependencyBump the parent package (see below)

Step 3a: Transitive Dependencies

If the vulnerable package is pulled in by another package:

1. Identify and check the parent:

pnpm why <vulnerable-package>
npm view <parent-package>@latest dependencies.<vulnerable-package>

2. Fix approach:

ScenarioAction
Parent has newer version with fixBump the parent
Parent hasn't released fixWait, or open an issue upstream

AVOID pnpm.overrides. Forcing a transitive dependency version can break the parent package silently. Only consider overrides if:

  • No upstream fix exists AND it's a production-critical vulnerability
  • The forced version is a patch/minor bump (not major)
  • You've manually verified compatibility

Step 4: Present Analysis

Present findings and wait for user approval before making changes:

## Security Vulnerability Analysis

**Package:** <name> | **Severity:** <severity> | **CVE:** <id>
**Vulnerable:** <range> | **Patched:** <version>

### Dependency Chain
<pnpm why output>

### Recommendation
<One of: Safe to bump / Intentionally pinned - do not bump / Bump parent package>

### Proposed Fix
1. Update package.json: "<package>": "<new-version>"
2. pnpm install
3. Verify with: pnpm why <package>

Proceed?

Step 5: Apply Fix (After Approval)

# 1. Edit package.json
# 2. Update lockfile
pnpm install
# 3. Verify
pnpm why <package>
# 4. Run tests
pnpm test:run
# 5. Show changes
git diff

Do NOT commit - let the user review first.

Step 5 (Alternative): Dismiss Alert

For alerts that should not be fixed, offer to dismiss instead.

Always get user approval first. Present the dismissal option:

This alert should be dismissed rather than fixed because:
- <reason: intentionally pinned / dev-only acceptable risk / etc.>

Dismiss with reason: <suggested reason>
Comment: "<suggested comment>"

Proceed with dismissal?

After user approval, dismiss via GitHub API:

gh api --method PATCH repos/getsentry/sentry-changelog/dependabot/alerts/<number> \
  -f state=dismissed \
  -f dismissed_reason=<reason> \
  -f dismissed_comment="<comment>"

Dismissal reasons:

ReasonWhen to use
tolerable_riskDev-only dependency, risk accepted
no_bandwidthWill fix later, not urgent
inaccurateFalse positive, not actually vulnerable
not_usedVulnerable code path is not used in our code

Commands Reference

CommandPurpose
pnpm why <pkg>Show dependency tree
gh api repos/getsentry/sentry-changelog/dependabot/alerts/<n>Fetch alert
gh api --method PATCH .../dependabot/alerts/<n> -f state=dismissed -f dismissed_reason=<reason>Dismiss alert
npm view <pkg>@latest dependencies.<dep>Check transitive dep version
pnpm test:runRun tests

Examples

Direct dependency - safe to bump

Package: contentful
Severity: moderate
Type: Production dependency (direct)

Recommendation: Safe to bump 10.15.0 → 10.16.0
- Patch version, low risk
- No breaking changes expected

Pinned dependency - dismiss instead

Package: google-auth-library
Severity: high

Recommendation: DISMISS (do not bump to v10.x)
This package is intentionally pinned to v9.x for compatibility
with @google-cloud/storage's bundled ExternalAccountClient.
Bumping to v10.x breaks Vercel OIDC authentication.

Proposed dismissal:
  Reason: tolerable_risk
  Comment: "Pinned to v9.x for @google-cloud/storage compat - see package.json comments"

Proceed with dismissal?

Transitive dependency - bump parent

Package: vulnerable-lib@1.9.0 (needs >=2.0.1)
Chain: @sentry/nextjs → @sentry/node → vulnerable-lib

Check: npm view @sentry/nextjs@latest dependencies
Result: Uses patched version ✓

Recommendation: Bump @sentry/nextjs 10.32.1 → 10.33.0
This pulls in the patched vulnerable-lib automatically.

Transitive dependency - no fix available

Package: deep-lib@2.9.0 (needs >=3.0.0)
Chain: next → some-pkg → deep-lib

No upstream fix available yet. Options:
1. Wait for upstream fix (preferred)
2. Accept risk if dev-only
3. Consider pnpm.overrides as last resort for production-critical issues

AVOID using overrides unless absolutely necessary.

Important Notes

  • Never auto-commit - Always wait for user review
  • Check pin reasons - Some deps are pinned for compatibility (see "//" in package.json)
  • Dev vs Prod matters - Dev-only vulnerabilities are lower priority
  • Bump parents, not transitive deps - If A depends on vulnerable B, bump A
  • Avoid pnpm.overrides - They bypass the parent's dependency constraints and can cause subtle breakage
  • Always verify - Run pnpm why <pkg> after fixing to confirm the patched version is installed
  • Run tests - Run pnpm test:run after fixing to make sure nothing broke

Mais skills de sentry

generate-frontend-forms
sentry
Guia para criar formulários usando o novo sistema de formulários do Sentry. Use ao implementar formulários, campos de formulário, validação ou funcionalidade de salvamento automático.
official
architecture-review
sentry
Revisão de saúde do código em nível de equipe. Encontra módulos monolíticos, falhas silenciosas, lacunas de segurança de tipo, buracos na cobertura de testes e problemas de compatibilidade com LLM.
official
linear-type-labeler
sentry
Classifica issues do Linear e aplica um rótulo de Tipo da taxonomia de rótulos do workspace do Sentry com base no conteúdo do título e da descrição de cada issue.
official
sentry-flutter-sdk
sentry
Configuração completa do SDK Sentry para Flutter e Dart. Use quando for solicitado "adicionar Sentry ao Flutter", "instalar sentry_flutter", "configurar Sentry no Dart" ou configurar erro…
official
sentry-svelte-sdk
sentry
Configuração completa do SDK do Sentry para Svelte e SvelteKit. Use quando for solicitado a "adicionar Sentry ao Svelte", "adicionar Sentry ao SvelteKit", "instalar @sentry/sveltekit" ou configurar…
official
vercel-react-best-practices
sentry
Diretrizes de otimização de desempenho para React e Next.js da Vercel Engineering. Esta habilidade deve ser usada ao escrever, revisar ou refatorar React/Next.js…
official
sentry-tanstack-start-sdk
sentry
Configuração completa do SDK Sentry para TanStack Start React. Use quando for solicitado "adicionar Sentry ao TanStack Start", "instalar @sentry/tanstackstart-react" ou configurar erro…
official
bump-size-limit
sentry
Aumentar os limites de tamanho no .size-limit.js quando a verificação de CI de limite de tamanho estiver falhando. Use quando o usuário mencionar falhas de limite de tamanho, verificações de tamanho de bundle falhando, CI de tamanho…
official