Skill

security-upgrade

Scans project dependencies for CVEs in npm, Go, Python, Rust, Flutter projects; upgrades vulnerable packages, validates builds/tests, commits/pushes fixes.

npm

Python

Rust

Flutter

security

npx claudepluginhub bordenet/superpowers-plus --plugin superpowers-plus

Tool Access

This skill uses the workspace's default tool permissions.

Preview

> **Last Updated:** 2026-01-31

SKILL.md

Similar Skills

using-superpowers

185.1k

Mandates invoking relevant skills via tools before any response in coding sessions. Covers access, priorities, and adaptations for Claude Code, Copilot CLI, Gemini CLI.

3 files

superpowers

Stats

Stars6

Forks1

Last CommitApr 6, 2026

Actions

View Source View Plugin View on GitHub View README

Help us improve

Share bugs, ideas, or general feedback.

Security Dependency Upgrade Workflow

Last Updated: 2026-01-31

Wrong skill? Full repo security scan (secrets, code patterns) → repo-security-scan. Public repo IP leakage → public-repo-ip-audit. Wiki content secrets → wiki-secret-audit.

Workflow Summary

This skill provides a systematic workflow for security dependency auditing and upgrading. Use it to scan for CVEs, upgrade vulnerable packages, validate changes, and commit fixes.

Supported package managers: npm, Go modules, pip, Cargo, Flutter/pub

Companion Skills

repo-security-scan: Full security audit (this skill handles upgrades)
pre-commit-gate: Pre-commit checks after security upgrades

When to Use

Monthly security audits of dependencies
Before major releases to ensure clean security posture
When dependabot or security alerts notify you of vulnerabilities
After onboarding a new project to assess security debt
CI/CD integration for automated security gates

Phase 1: Discovery

Identify what package managers are in use:

# Find all dependency manifests
find . -name "package.json" -not -path "*/node_modules/*" -exec dirname {} \;
find . -name "go.mod" -exec dirname {} \;
find . -name "pubspec.yaml" -exec dirname {} \;
find . -name "requirements.txt" -exec dirname {} \;
find . -name "Cargo.toml" -exec dirname {} \;

Phase 2: Security Scanning

npm Dependencies

npm audit --json

# For monorepos
find . -name "package.json" -not -path "*/node_modules/*" \
  -exec sh -c 'echo "=== $(dirname {}) ===" && cd $(dirname {}) && npm audit' \;

Go Dependencies

# Install if needed
go install golang.org/x/vuln/cmd/govulncheck@latest

# Scan
~/go/bin/govulncheck .

# Verbose with fix recommendations
~/go/bin/govulncheck -show verbose .

Python Dependencies

pip install pip-audit
pip-audit
pip-audit -r requirements.txt

Rust Dependencies

cargo install cargo-audit
cargo audit

Flutter/Dart Dependencies

flutter pub outdated

Phase 3: Upgrade Dependencies

Language	Upgrade	Build	Test
Go	`go get <pkg>@<ver> && go mod tidy`	`go build -o /dev/null .`	`go test ./...`
npm	`npm audit fix [--force]`	`npm run build`	`npm test`
Python	`pip install --upgrade <pkg>`	—	`pytest`
Rust	`cargo update <pkg>`	`cargo build`	`cargo test`
Flutter	update `pubspec.yaml`	`flutter build web --release`	`flutter test`

Phase 4: Validation

Build → test → security re-scan. Expected: "No vulnerabilities found."

Phase 5: Commit & Push (only if ALL pass)

git commit -m "security: upgrade dependencies to fix CVEs

<Package> <old-version> → <new-version> (CVE-XXXX-XXXXX)
- Brief description of vulnerability fixed

Validation: All tests passing"

git push origin main

Critical Reminders

Always run full validation suite before committing
Document all CVE numbers in commit message
Test compilation of all affected modules
Re-scan for vulnerabilities after upgrades to verify fixes
Never bypass security updates - all CVEs must be addressed

⛔ NEVER Do These Things

NEVER skip, disable, or bypass tests to make upgrades pass
NEVER use --force flags without explicit user approval
NEVER delete or comment out failing tests to hide breakage
NEVER use || true to suppress test failures
NEVER commit with failing tests - fix the code or rollback the upgrade

If tests fail after an upgrade, the correct response is:

Investigate why the test fails
Fix the code to work with the new dependency version
OR rollback to the previous dependency version
OR ask the user for guidance

Expected Outcomes

✅ Zero known security vulnerabilities in dependencies
✅ All modules compile without errors
✅ All tests pass
✅ Changes committed and pushed

Troubleshooting

If govulncheck panics:

Run on individual directories instead of entire codebase
Exclude template directories with Go files in node_modules

If validation fails:

Do NOT commit or push
Fix issues before proceeding
Re-run validation suite

If breaking changes introduced:

Review package changelogs
Update code to accommodate API changes
Consider gradual rollout for major version bumps

Failure Modes

Failure	Fix
`npm audit fix --force` silently introducing major version bumps	Review what `--force` will change BEFORE running; prefer `npm audit fix` first
Upgrading to version with breaking API changes without reading changelog	Check release notes/changelog for breaking changes before upgrading
Skipping transitive/indirect vulnerability fixes	Scan output includes indirect deps — trace and fix the root dependency
Tests pass locally but CI fails due to environment differences	Run full CI after push; don't declare "fixed" until CI confirms