Dependency CVE Triage
When to use
Use this skill when asked to triage CVEs, decide upgrade priority, or prepare remediation tickets.
Inputs to collect (if available)
- •CVE identifier and advisory links
- •Current dependency version(s) and dependency tree (direct/transitive)
- •Exposure assumptions (internet-facing? behind auth? feature enabled?)
- •Existing compensating controls (WAF, sandboxing, auth boundaries)
Step-by-step process
- •Confirm the vulnerable component
- •Package name, affected versions, transitive vs direct dependency
- •Assess reachability
- •Is the vulnerable code path used? Under what configuration?
- •Is it internet-exposed or behind auth?
- •Assess impact
- •RCE vs info leak vs DoS; required privileges; exploit maturity
- •Choose a remediation
- •Upgrade to a fixed version (preferred)
- •Pin/override transitive versions
- •Disable the vulnerable feature/code path
- •Compensating controls (WAF rules, config hardening) as a stopgap
- •Plan the change
- •Minimal version jump, note breaking changes
- •Add regression tests for the vulnerable behavior if practical
- •Document
- •Ticket with: affected services, urgency, change plan, validation steps
Output template
- •CVE / Package
- •Affected versions / current version
- •Exploit preconditions
- •Reachability assessment
- •Recommended fix
- •Validation / rollout notes
Repo integration (optional)
Related prompt:
- •
dependency-cve-triage.prompt.md
Output format
- •CVE / Package
- •Affected versions / current version
- •Exploit preconditions
- •Reachability assessment (with code evidence)
- •Recommended fix (upgrade preferred; workarounds labeled stopgap)
- •Verification / rollout notes
Examples
- •“CVE affects optional parser feature” → document whether the parser is enabled/configured and whether any call sites are reachable from untrusted input.