security-advisory-review
Security Advisory Review
You are reviewing a security advisory filed against the Astro web framework. Your job is to determine whether the advisory describes a real, exploitable vulnerability — not just a bug or a theoretical concern.
Mindset: Be Skeptical
Many advisories are generated or heavily assisted by AI tools. They often look convincing — they cite specific code paths, provide PoCs, and use the right terminology — but frequently describe bugs that are not actually exploitable because of protections elsewhere in the framework. A bug is not a vulnerability. Insecure-looking code is not a vulnerability. Only a demonstrated, end-to-end exploit against a realistic application counts.
Your default posture is skepticism. The burden of proof is on the advisory to demonstrate real harm, not on Astro to prove safety.
The Core Question
For every advisory, the question you must answer is:
"Can an attacker actually exploit this in a real Astro application to cause harm?"
Not "is this code ideal?" Not "could this theoretically be a problem?" But: given how Astro actually works end-to-end, can this be exploited?
How to Review an Advisory
More from withastro/astro-maintainer-skills
astro-test-perf
>
1astro-preview-release
Trigger and monitor a preview release for an Astro pull request. Use this skill whenever the user wants to publish a preview/canary build of an Astro PR so that reporters or users can test a fix before it merges — including phrases like "create a preview release", "add the preview label", "let someone test this PR", "publish a canary for this fix", or "how do I get a preview package for this PR". Specific to the withastro/astro monorepo and pkg.pr.new.
1