Dependabot Triage & Fix (v2.1)

v2.1 highlights

• Two modes — Standard and Fast-Track. Standard is the defensive workflow (full exposure mapping, changelog scrape, safety interlock). Fast-Track is for low-risk bumps (Internal/Dev category, CVSS < 7, or user opt-in) — skips changelog + detailed exposure enumeration, single-confirmation interlock. Parity check + dual-write are non-negotiable in BOTH modes.
• Defensive versioning — pick the minimal patched version that fixes all in-cluster CVEs, not "latest in same major".
• Exposure Mapping replaces heuristic reachability — categorize every import site (Public/API · Client-Bundle · Internal/Dev) and present surface area to the user instead of trying to prove unreachability.
• Mandatory lockfile parity check — package-lock.json and pnpm-lock.yaml must resolve to the same version of the target package; mismatch aborts the PR. Required because CI/CD runs npm while local sanity checks run pnpm.
• Changelog scrape with safety interlock (Standard mode) — fetch release notes / CHANGELOG between current and target, flag BREAKING / DEPRECATED / MIGRATION keywords, pause for explicit user confirmation before applying the bump.
• Auto-reversion — if Fast-Track fails parity or the build fails post-bump, the skill offers to switch back to Standard mode for deeper analysis instead of grinding on retries.
• Org-level fan-out is opt-in only — never auto-trigger; org enumeration burns API rate limit and surfaces non-JS noise.

Scope

Only JavaScript / TypeScript repos — npm, pnpm, yarn, bun ecosystems. Covers backend Node.js services, frontend bundles (CSR), server-rendered apps (SSR), and mixed SSR+CSR frameworks (Next.js, Nuxt, Remix, SvelteKit).

NOT yet covered: Python (pip / poetry / uv), Go modules, Java (Maven / Gradle), Ruby (bundler), Rust (cargo), .NET (NuGet). If the user shares a Dependabot URL pointing to a repo whose alerts are non-JS (check .dependency.package.ecosystem), say so explicitly and stop — don't apply this skill's mechanics to those ecosystems.

The org-level fan-out will surface non-JS alerts (e.g. Python pillow, Java packages). Filter those out of the ranked table or call them out as "out of scope for this skill — handle separately".