Vuln Research — CVE Deep-Dive and Applicability Assessment

When a CVE drops, the question isn't "do we have this package?" — dependency-audit answers that. The questions are:

• Is the vulnerable code path actually invoked in our usage?
• Is there a public proof-of-concept making this easy to exploit?
• Is there a patch? When? What's our exposure window if we can't deploy in 24 hours?
• If we can't patch, what's the mitigation?
• Is CISA tracking it as actively exploited?

This skill walks that workflow end-to-end. Pairs with dependency-audit (which surfaces the CVE in the first place) and finding-triage (which closes the disposition loop).

Workflow

Step 1 — Pull the canonical sources

Start with the authoritative descriptions; everything downstream is summarized or sometimes wrong.