ci: add audit-dependencies claude skill

[denolfe]

Overview

Adds a Claude Code skill for fixing dependency audit vulnerabilities, and adds input validation to the audit script. Invoked manually via /audit-dependencies [severity] (defaults to high).

Key Changes

• New skill at .claude/skills/audit-dependencies/SKILL.md

  • User-invocable only (disable-model-invocation: true), so Claude won't auto-detect or load it.
  • Accepts an optional severity argument (critical|high|moderate|low), defaults to high.
  • Codifies the workflow: run audit script, trace dependency chains, prefer direct bumps over pnpm overrides, research breaking changes, install/build/verify, look up advisories, commit, and create a PR.
  • Includes a graphviz decision flowchart for the bump-vs-override decision.
  • Calls out parallel agent dispatch for breaking change research and advisory lookups.
  • Uses GHSA links (github.com/advisories/GHSA-...) over NVD links in PR bodies.

• Severity validation in audit-dependencies.sh

  • Validates the severity argument against low, moderate, high, critical. Exits with code 2 on invalid input.

Design Decisions

The skill enforces "direct bump first, override as last resort" because overrides hide version mismatches and can silently break when the parent package updates. Each override requires explicit justification (no patched parent version available, high breaking change risk, or user defers to separate PR).

[github-actions]

🚀 This is included in version v3.80.0