Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
32 changes: 32 additions & 0 deletions .agents/skills/audit-js-dependencies/SKILL.md
Original file line number Diff line number Diff line change
Expand Up @@ -106,6 +106,18 @@ yarn add <package>@<fixed-version>

Avoid opportunistic upgrades. The goal is to remove vulnerable dependencies with the narrowest safe diff.

## Tool Path Setup

`npm` and `yarn` are not in the default shell PATH in this environment. Locate them in the Nix store before running any commands:

```bash
NPM=$(find /nix/store -maxdepth 3 -name "npm" -path "*/nodejs-24*/bin/npm" 2>/dev/null | head -1)
YARN=$(find /nix/store -maxdepth 3 -name "yarn" -path "*/yarn-*/bin/yarn" 2>/dev/null | head -1)
export PATH="$(dirname $NPM):$(dirname $YARN):$PATH"
```

Use this PATH prefix for every `npm` and `yarn` command in this skill.

## Verify After Changes

Re-run the audit for every root you touched. Then run the most relevant lightweight verification for each affected project:
Expand All @@ -118,6 +130,26 @@ Re-run the audit for every root you touched. Then run the most relevant lightwei

If a dependency update affects native mobile tooling, note any heavier validation you did not run, such as Capacitor or React Native platform builds.

## Run Local CI Checks Before Completing

After all audits and per-project verifications pass, run the full local CI suite from the repo root before declaring the task done. These mirror the `test` job in `.github/workflows/ci.yaml`.

Run each command individually and capture its exit code explicitly. **Never pipe a CI command through `tail`, `grep`, or any filter** — doing so returns the filter's exit code, not the command's, silently hiding failures.

```bash
npm audit --audit-level=critical; echo "exit: $?"
cd website && npm audit --audit-level=critical; echo "exit: $?"; cd ..
npm run check-tidy; echo "exit: $?"
npm run format; echo "exit: $?"
npm run lint; echo "exit: $?"
npm run typecheck; echo "exit: $?"
npm run test; echo "exit: $?"
npm run verify; echo "exit: $?"
npm run build; echo "exit: $?"
```

All nine commands must print `exit: 0`. If any print a non-zero exit, fix the issue before completing. Do not skip this step.

## Report Breaking Changes Instead Of Applying Them

If the audit can only be fixed through a major-version change, stop and notify the user with a concise summary:
Expand Down
7 changes: 7 additions & 0 deletions .bundler-audit.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
---
ignore:
# CVE-2026-54171: excon header leakage on redirects, patched in excon >= 1.5.0.
# Cannot upgrade: fastlane 2.236.1 (latest) still constrains excon < 1.0.0.
# fastlane master has relaxed this to < 2.0.0 but no release yet.
# Remove this ignore once fastlane ships with excon 1.x support.
- CVE-2026-54171
2 changes: 1 addition & 1 deletion Gemfile.lock
Original file line number Diff line number Diff line change
Expand Up @@ -107,7 +107,7 @@ GEM
ethon (0.16.0)
ffi (>= 1.15.0)
excon (0.112.0)
faraday (1.10.5)
faraday (1.10.6)
faraday-em_http (~> 1.0)
faraday-em_synchrony (~> 1.0)
faraday-excon (~> 1.1)
Expand Down
13 changes: 12 additions & 1 deletion example/reactnative/package.json
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,18 @@
"minimatch/brace-expansion": "1.1.13",
"micromatch/picomatch": "2.3.2",
"@babel/preset-env/**/@babel/plugin-transform-modules-systemjs": "7.29.4",
"@react-native-community/cli/**/joi": "^17.13.4"
"@react-native-community/cli/**/joi": "^17.13.4",
"react-native/ws": "6.2.4",
"@react-native-community/cli-server-api/ws": "6.2.4",
"@react-native/dev-middleware/ws": "6.2.4",
"@react-native/metro-config/**/ws": "7.5.11",
"react-native/**/react-devtools-core/ws": "7.5.11",
"react-native/**/metro/ws": "7.5.11",
"@react-native-community/cli/**/launch-editor": "2.14.1",
"@react-native-community/cli-platform-android/**/launch-editor": "2.14.1",
"@react-native-community/cli-platform-ios/**/launch-editor": "2.14.1",
"eslint/**/js-yaml": "4.2.0",
"@babel/core": "7.29.7"
},
"devDependencies": {
"//": "For unknown reason, we need to install eslint-plugin-jest oursevles so that it is found by eslint",
Expand Down
198 changes: 154 additions & 44 deletions example/reactnative/yarn.lock

Large diffs are not rendered by default.

16 changes: 13 additions & 3 deletions example/reactweb/package-lock.json

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Loading
Loading