Skip to content

Commit 9e873d9

Browse files
tclemCopilot
tclem
and
Copilot
committed
Link to specific dependabot alerts in PR bodies
Use per-alert URLs (security/dependabot/{number}) instead of just the dashboard. Include alerts in any state, not just open. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
1 parent 7322a83 commit 9e873d9

File tree

1 file changed

+5
-3
lines changed

1 file changed

+5
-3
lines changed

.github/skills/update-deps/SKILL.md

Lines changed: 5 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -85,12 +85,14 @@ For ecosystems without dependabot coverage or when running ad-hoc, use native to
8585
- **cargo:** `cargo update --dry-run`
8686
- **npm:** `cd crates/string-offsets/js && npm outdated --json`
8787

88-
Also fetch the advisory URLs for any security-related updates. The dependabot security dashboard is at `https://github.com/{owner}/{repo}/security/dependabot`. Individual alert details (including GHSA links) are available via:
88+
Also fetch the advisory URLs for any security-related updates. Individual alert details are at `https://github.com/{owner}/{repo}/security/dependabot/{alert_number}`. Fetch alert numbers and GHSA IDs via:
8989

9090
```bash
91-
gh api /repos/{owner}/{repo}/dependabot/alerts --jq '[.[] | select(.state=="open") | {number: .number, package: .security_vulnerability.package.name, severity: .security_advisory.severity, ghsa_id: .security_advisory.ghsa_id, url: .html_url}]'
91+
gh api /repos/{owner}/{repo}/dependabot/alerts --jq '[.[] | {number: .number, state, package: .security_vulnerability.package.name, ecosystem: .security_vulnerability.package.ecosystem, severity: .security_advisory.severity, ghsa_id: .security_advisory.ghsa_id, summary: .security_advisory.summary}]'
9292
```
9393

94+
Include both open and auto_dismissed/dismissed alerts — the update may resolve alerts in any state.
95+
9496
Cross-reference and group all updates by ecosystem. Present a summary to the user:
9597

9698
- How many updates per ecosystem
@@ -200,7 +202,7 @@ git push -u origin HEAD
200202
**Body should include:**
201203

202204
- List of updated dependencies with version changes (old → new)
203-
- Any security alerts resolved — include severity, GHSA ID, advisory summary, and a link to the advisory (e.g., `https://github.com/advisories/GHSA-xxxx-xxxx-xxxx`). Also link to the repo's dependabot security dashboard: `https://github.com/{owner}/{repo}/security/dependabot`
205+
- Any security alerts resolved — for each, link to the specific dependabot alert (`https://github.com/{owner}/{repo}/security/dependabot/{alert_number}`) and the GHSA advisory (`https://github.com/advisories/GHSA-xxxx-xxxx-xxxx`), along with severity and summary
204206
- **High-risk changes flagged for reviewer attention** (major version bumps, wide-blast-radius packages)
205207
- Code changes made to fix breakage (if any)
206208
- References to superseded dependabot PRs

0 commit comments

Comments
 (0)