Agent Skills
› cobusgreyling/loop-engineering
› dependency-triage
dependency-triage
GitHub扫描包清单和锁文件,识别过时包及CVE漏洞。按风险等级(补丁、次要、主要)分组更新,并指导在依赖扫描循环中采取相应操作或升级给人类处理。
Trigger Scenarios
发现过时的软件包
检测到已知安全漏洞(CVE)
执行依赖扫描循环
Install
npx skills add cobusgreyling/loop-engineering --skill dependency-triage -g -y
SKILL.md
Frontmatter
{
"name": "dependency-triage",
"description": "Scan package manifests and lockfiles for outdated packages and known CVEs. Groups updates by risk (patch, minor, major). Use in dependency sweeper loops.\n",
"user_invocable": true
}
Dependency Triage Skill
Output per package
### package-name (ecosystem: npm|pip|go|etc.)
- Current: x.y.z
- Suggested: x.y.z
- Risk: patch | minor | major
- CVE: none | CVE-XXXX (severity)
- Actionable: yes | no (denylist / human gate)
- Suggested loop action: patch-in-worktree | escalate-human | skip
Classification Rules
- patch: semver patch or lockfile-only security fix with no API change
- minor: semver minor — cautious, verifier required
- major: always escalate-human unless explicitly pre-approved in state
- denylist: packages in state denylist → escalate-human, no auto-touch
- high-severity CVE: escalate if fix requires major or breaking change
Rules
- Prefer the smallest safe bump that resolves the advisory.
- Never bundle unrelated package updates in one change.
- Record human overrides from
dependency-sweeper-state.mdevery run. - If lockfile conflict or peer dependency warning → escalate-human.
Version History
- e55bb6d Current 2026-07-05 11:06


