feat: add react-next-cve skill #28
Open
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
sergical
force-pushed
the
feat/react-next-cve-skill
branch
from
537341d to
7288a5c
Compare
![sentry[bot]](https://cdn.statically.io/img/avatars.githubusercontent.com/in/12637?s=60&v=4){kind=small}
sergical
force-pushed
the
feat/react-next-cve-skill
branch
3 times, most recently
from
a6bd166 to
4b3d39a
Compare
Adds a skill to scan GitHub orgs for repos affected by React/Next.js CVEs. The skill: 1. Extracts affected versions from CVE blog posts 2. Searches the org for repos using those packages 3. Checks if they're production dependencies 4. Generates a remediation report with correct package manager commands Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
sergical
force-pushed
the
feat/react-next-cve-skill
branch
from
4b3d39a to
5b8c3c3
Compare
|
|
||
| ```bash | ||
| # Check for build script and run it | ||
| grep -q '"build"' package.json && {package_manager} build |
There was a problem hiding this comment.
Bug: The verification step incorrectly checks for build and test scripts in the root package.json for monorepos, instead of the specific package's package.json.
Severity: HIGH
Suggested Fix
Modify the verification logic to check for build and test scripts in the correct package.json file. For monorepos, the check should target the package-specific package.json located at the path where dependencies were updated (e.g., {path}/package.json), not the repository root.
Prompt for AI Agent
Review the code at the location below. A potential bug has been identified by an AI
agent.
Verify if this is a real issue. If it is, propose a fix; if not, explain why it's not
valid.
Location: plugins/sentry-skills/skills/react-next-cve/SKILL.md#L180
Potential issue: In a monorepo, the skill's verification step checks for `build` and
`test` scripts in the root `package.json`. However, dependency updates are scoped to
specific packages within subdirectories (e.g., using `pnpm --filter {package-name}`).
The verification logic at lines 178-189 fails to check the package-specific
`package.json` where the changes were made. This causes the build and test verification
steps to be silently skipped if the scripts are defined in the package but not at the
root, potentially missing build errors or test failures for the updated package.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
Adds a skill to scan GitHub orgs for repos affected by React/Next.js CVEs.
Usage
Provide a CVE blog post URL and the skill will:
Example
Changes
plugins/sentry-skills/skills/react-next-cve/SKILL.md- Main skill fileREADME.md- Added skill to Available Skills tableplugins/sentry-skills/skills/claude-settings-audit/SKILL.md- Added to skills allowlist.claude/settings.json- Added permission for the skill🤖 Generated with Claude Code