Add security advisory links to update-deps skill

PR bodies should now include GHSA IDs, advisory URLs, and a link
to the repo's dependabot security dashboard.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Author: tclem

.github/skills/update-deps/SKILL.md

@@ -85,10 +85,16 @@ For ecosystems without dependabot coverage or when running ad-hoc, use native to
 - **cargo:** `cargo update --dry-run`
 - **npm:** `cd crates/string-offsets/js && npm outdated --json`
 
+Also fetch the advisory URLs for any security-related updates. The dependabot security dashboard is at `https://github.com/{owner}/{repo}/security/dependabot`. Individual alert details (including GHSA links) are available via:
+
+```bash
+gh api /repos/{owner}/{repo}/dependabot/alerts --jq '[.[] | select(.state=="open") | {number: .number, package: .security_vulnerability.package.name, severity: .security_advisory.severity, ghsa_id: .security_advisory.ghsa_id, url: .html_url}]'
+```
+
 Cross-reference and group all updates by ecosystem. Present a summary to the user:
 
 - How many updates per ecosystem
-- Which have security alerts (and severity)
+- Which have security alerts (with severity, GHSA IDs, and advisory links)
 - Which dependabot PRs already exist
 
 **Flag high-risk upgrades.** Before proceeding, explicitly call out upgrades that carry elevated risk:
@@ -194,7 +200,7 @@ git push -u origin HEAD
 **Body should include:**
 
 - List of updated dependencies with version changes (old → new)
-- Any security alerts resolved (with severity)
+- Any security alerts resolved — include severity, GHSA ID, advisory summary, and a link to the advisory (e.g., `https://github.com/advisories/GHSA-xxxx-xxxx-xxxx`). Also link to the repo's dependabot security dashboard: `https://github.com/{owner}/{repo}/security/dependabot`
 - **High-risk changes flagged for reviewer attention** (major version bumps, wide-blast-radius packages)
 - Code changes made to fix breakage (if any)
 - References to superseded dependabot PRs