Nimblesite
diff --git a/‎.claude/skills/upgrade-packages/SKILL.md‎
Lines changed: 61 additions & 218 deletions b/‎.claude/skills/upgrade-packages/SKILL.md‎
Lines changed: 61 additions & 218 deletions
@@ -7,254 +7,97 @@ argument-hint: "[--check-only] [--major] [package-name]"
 
 # Upgrade Packages
 
-Upgrade all project dependencies to their latest compatible (or latest major, if `--major`) versions.
+Upgrade all project dependencies to their latest compatible versions (or latest major with `--major`), then drive known vulnerabilities to zero.
 
 ## Arguments
 
-- `--check-only` — List outdated packages without upgrading. Stop after Step 2.
-- `--major` — Include major version bumps (breaking changes). Without this flag, stay within semver-compatible ranges.
-- Any other argument is treated as a specific package name to upgrade (instead of all packages).
+- `--check-only` — list outdated packages and stop after Step 2.
+- `--major` — allow major-version bumps; otherwise stay within semver-compatible ranges.
+- Any other argument is treated as a single package name to upgrade.
 
-## Step 1 — Detect language and package manager
+## Ecosystem command reference
 
-Inspect the repo root and subdirectories for manifest files. Identify ALL that apply:
+Look up the detected ecosystem(s) in this table and use the matching commands in each step below. Process every ecosystem present.
 
-| Manifest file | Language | Package manager |
-|---|---|---|
-| `Cargo.toml` | Rust | cargo |
-| `package.json` | Node.js / TypeScript | npm / yarn / pnpm (check lockfile) |
-| `pyproject.toml` | Python | pip / uv / poetry (check `[build-system]` or `[tool.poetry]`) |
-| `requirements.txt` | Python | pip |
-| `setup.py` / `setup.cfg` | Python | pip |
-| `pubspec.yaml` | Dart / Flutter | pub |
-| `*.csproj` / `*.fsproj` / `*.sln` | C# / F# | NuGet (dotnet) |
-| `Directory.Build.props` | C# / F# | NuGet (dotnet) |
-| `go.mod` | Go | go modules |
-| `Gemfile` | Ruby | bundler |
-| `composer.json` | PHP | composer |
-| `build.gradle` / `build.gradle.kts` | Java / Kotlin | gradle |
-| `pom.xml` | Java | maven |
+| Manifest | Ecosystem | Outdated | Upgrade (semver) | Upgrade (`--major`) | Audit | Override mechanism |
+|---|---|---|---|---|---|---|
+| `package.json` (npm) | Node | `npm outdated` | `npm update` | `npx npm-check-updates -u && npm install` | `npm audit --json` | `"overrides"` in package.json |
+| `package.json` (pnpm) | Node | `pnpm outdated` | `pnpm update` | `pnpm update --latest` | `pnpm audit --json` | `"pnpm.overrides"` |
+| `package.json` (yarn) | Node | `yarn outdated` | `yarn up` | `yarn up -R '**'` | `yarn npm audit --json` | `"resolutions"` |
+| `Cargo.toml` | Rust | `cargo outdated` | `cargo update` | `cargo update --breaking` | `cargo audit` | `[patch.crates-io]` in Cargo.toml |
+| `pyproject.toml` / `requirements.txt` | Python (pip/uv/poetry) | `pip list --outdated` · `uv pip list --outdated` · `poetry show --outdated` | `pip install -U -r requirements.txt` · `uv lock --upgrade` · `poetry update` | edit specifiers · `uv lock --upgrade` · `poetry update --latest` | `pip-audit --strict` | pin in `requirements.txt` / `constraints.txt` / `>=` in pyproject |
+| `*.csproj` / `Directory.Build.props` | .NET (NuGet) | `dotnet list package --outdated --include-transitive` | `dotnet add <proj> package <Name>` (per package) or `dotnet outdated --upgrade` | same | `dotnet list package --vulnerable --include-transitive` | explicit `<PackageReference Version>` in consuming project, or `<PackageVersion>` in `Directory.Packages.props` |
+| `go.mod` | Go | `go list -m -u all` | `go get -u ./... && go mod tidy` | same | `govulncheck ./...` | `replace` directive in go.mod |
+| `Gemfile` | Ruby | `bundle outdated` | `bundle update` | edit Gemfile constraints then `bundle update` | `bundle audit check --update` | explicit version constraint in Gemfile |
+| `composer.json` | PHP | `composer outdated` | `composer update` | edit constraints then `composer update` | `composer audit` | explicit version in composer.json |
+| `pubspec.yaml` | Dart/Flutter | `dart pub outdated` | `dart pub upgrade` | `dart pub upgrade --major-versions` | `dart pub deps` + check https://osv.dev | explicit version in pubspec.yaml |
+| `build.gradle(.kts)` | Gradle | `./gradlew dependencyUpdates` | edit versions then `./gradlew dependencies` | same | `./gradlew dependencyCheckAnalyze` (OWASP) | version catalog entry |
+| `pom.xml` | Maven | `mvn versions:display-dependency-updates` | `mvn versions:use-latest-releases && mvn versions:commit` | same | OWASP `dependency-check` | explicit `<version>` in pom.xml |
 
-If multiple languages are present, process each one in order.
+Install scanner binaries if missing (`cargo install cargo-audit`, `pip install pip-audit`, `go install golang.org/x/vuln/cmd/govulncheck@latest`, `gem install bundler-audit`). Do not skip a scan because the tool is missing.
 
-**If you cannot detect any manifest file, stop and tell the user.**
+Authoritative upgrade docs (fetch with WebFetch before running anything non-obvious): [npm](https://docs.npmjs.com/cli/v10/commands/npm-update), [pnpm](https://pnpm.io/cli/update), [yarn](https://yarnpkg.com/cli/up), [cargo](https://doc.rust-lang.org/cargo/commands/cargo-update.html), [pip](https://pip.pypa.io/en/stable/cli/pip_install/), [uv](https://docs.astral.sh/uv/reference/cli/), [poetry](https://python-poetry.org/docs/cli/#update), [dotnet](https://learn.microsoft.com/en-us/dotnet/core/tools/dotnet-add-package), [go](https://go.dev/ref/mod#go-get), [bundler](https://bundler.io/man/bundle-update.1.html), [composer](https://getcomposer.org/doc/03-cli.md#update-u-upgrade), [pub](https://dart.dev/tools/pub/cmd/pub-outdated), [gradle](https://docs.gradle.org/current/userguide/dependency_management.html), [maven](https://www.mojohaus.org/versions/versions-maven-plugin/).
 
-## Step 2 — List outdated packages
-
-Run the appropriate command to list what's outdated BEFORE upgrading anything. Show the user what will change.
-
-### Rust
-```bash
-cargo outdated        # install: cargo install cargo-outdated
-cargo update --dry-run
-```
-**Read the docs:** https://doc.rust-lang.org/cargo/commands/cargo-update.html
-
-### Node.js (npm)
-```bash
-npm outdated
-```
-If using yarn: `yarn outdated`. If using pnpm: `pnpm outdated`.
-
-**Read the docs:**
-- npm: https://docs.npmjs.com/cli/v10/commands/npm-update
-- yarn: https://yarnpkg.com/cli/up
-- pnpm: https://pnpm.io/cli/update
-
-### Python (pip)
-```bash
-pip list --outdated
-```
-If using uv: `uv pip list --outdated`. If using poetry: `poetry show --outdated`.
-
-**Read the docs:**
-- pip: https://pip.pypa.io/en/stable/cli/pip_install/#cmdoption-U
-- uv: https://docs.astral.sh/uv/reference/cli/#uv-pip-install
-- poetry: https://python-poetry.org/docs/cli/#update
-
-### Dart / Flutter
-```bash
-dart pub outdated
-# or for Flutter projects:
-flutter pub outdated
-```
-**Read the docs:** https://dart.dev/tools/pub/cmd/pub-outdated
-
-### C# / F# (NuGet)
-```bash
-dotnet list package --outdated
-```
-For transitive dependencies too: `dotnet list package --outdated --include-transitive`
-
-**Read the docs:** https://learn.microsoft.com/en-us/dotnet/core/tools/dotnet-list-package
-
-### Go
-```bash
-go list -m -u all
-```
-**Read the docs:** https://go.dev/ref/mod#go-get
-
-### Ruby (Bundler)
-```bash
-bundle outdated
-```
-**Read the docs:** https://bundler.io/man/bundle-update.1.html
+## Step 1 — Detect ecosystems
 
-### PHP (Composer)
-```bash
-composer outdated
-```
-**Read the docs:** https://getcomposer.org/doc/03-cli.md#update-u-upgrade
+Scan repo root and subdirectories for manifest files listed above. If none, stop and tell the user.
 
-### Java / Kotlin (Gradle)
-```bash
-./gradlew dependencyUpdates  # requires ben-manes/gradle-versions-plugin
-```
-**Read the docs:** https://docs.gradle.org/current/userguide/dependency_management.html
-
-### Java (Maven)
-```bash
-mvn versions:display-dependency-updates
-```
-**Read the docs:** https://www.mojohaus.org/versions/versions-maven-plugin/display-dependency-updates-mojo.html
-
-If `--check-only` was passed, **stop here** and report the outdated list.
-
-## Step 3 — Read the official upgrade docs
-
-**Before running any upgrade command, you MUST fetch and read the official documentation URL listed above for the detected package manager.** Use WebFetch to retrieve the page. This ensures you use the correct flags and understand the behavior. Do not guess at flags or options from memory.
-
-## Step 4 — Upgrade packages
-
-Run the upgrade. If a specific package name was given as an argument, upgrade only that package.
-
-### Rust
-```bash
-cargo update                          # semver-compatible updates
-# --major flag:
-cargo update --breaking               # major version bumps (cargo 1.84+)
-```
-For workspace members, run from workspace root.
-
-### Node.js (npm)
-```bash
-npm update                            # semver-compatible (within package.json ranges)
-# --major flag:
-npx npm-check-updates -u && npm install   # bump package.json to latest majors
-```
-If using yarn: `yarn up` / `yarn up -R '**'`. If using pnpm: `pnpm update` / `pnpm update --latest`.
-
-### Python (pip)
-For `requirements.txt`:
-```bash
-pip install --upgrade -r requirements.txt
-pip freeze > requirements.txt         # pin new versions
-```
-For `pyproject.toml` with pip: update version specifiers manually, then `pip install -e ".[dev]"`.
-For uv: `uv pip install --upgrade -r requirements.txt` or `uv lock --upgrade`.
-For poetry: `poetry update` / `poetry update --latest` (with `--major` flag).
-
-### Dart / Flutter
-```bash
-dart pub upgrade                      # semver-compatible
-# --major flag:
-dart pub upgrade --major-versions     # bump to latest majors
-```
-For Flutter: replace `dart` with `flutter`.
+## Step 2 — List outdated packages
 
-### C# / F# (NuGet)
-There is NO single `dotnet upgrade-all` command. You must upgrade each package individually:
-```bash
-# For each outdated package from Step 2:
-dotnet add <project.csproj> package <PackageName>    # upgrades to latest
-# Or with specific version:
-dotnet add <project.csproj> package <PackageName> --version <version>
-```
-For `Directory.Build.props`, edit the version numbers directly in the XML.
+Run the "Outdated" column command for each detected ecosystem and show the diff to the user. If `--check-only`, stop here.
 
-**Read the docs:** https://learn.microsoft.com/en-us/dotnet/core/tools/dotnet-add-package
+## Step 3 — Upgrade
 
-Alternatively, use the dotnet-outdated global tool:
-```bash
-dotnet tool install --global dotnet-outdated-tool
-dotnet outdated --upgrade
-```
-**Read the docs:** https://github.com/dotnet-outdated/dotnet-outdated
+Run the "Upgrade (semver)" column, or "Upgrade (`--major`)" if `--major` was passed. If a package name argument was given, scope the upgrade to that package.
 
-### Go
-```bash
-go get -u ./...                       # update all dependencies
-go mod tidy                           # clean up go.sum
-```
-For a specific package: `go get -u <module>@latest`.
+## Step 4 — Build & test
 
-### Ruby (Bundler)
-```bash
-bundle update                         # all gems
-# specific gem:
-bundle update <gem-name>
-```
+Run `make ci` (or the project's build/test commands from the Makefile, CI workflow, or CLAUDE.md). Fix any breakage using release notes / migration guides. If stuck after 3 attempts on the same failure, stop and report.
 
-### PHP (Composer)
-```bash
-composer update                       # all packages
-# specific package:
-composer update <vendor/package>
-```
-With `--major`: edit `composer.json` version constraints first, then `composer update`.
+## Step 5 — Vulnerability scan (MANDATORY)
 
-### Java / Kotlin (Gradle)
-Edit version numbers in `build.gradle` / `build.gradle.kts` / version catalogs (`libs.versions.toml`), then:
-```bash
-./gradlew dependencies                # verify resolution
-```
+Upgrading top-level deps does NOT guarantee transitive deps are clean. Drive the count to **zero**.
 
-### Java (Maven)
-```bash
-mvn versions:use-latest-releases      # update pom.xml to latest releases
-mvn versions:commit                   # remove backup pom
-```
+**5a. Scan** — run the "Audit" column for each ecosystem.
 
-## Step 5 — Verify the upgrade
+**5b. Read runtime constraints** — before pinning anything:
+- npm: `engines.node` + `.github/workflows/*.yml` `node-version:` + `.nvmrc`
+- Python: `requires-python` / `.python-version`
+- .NET: `<TargetFramework(s)>` in every project
+- Go: `go` directive in `go.mod`
+- Rust: `rust-version` in `Cargo.toml`
+- Ruby: `.ruby-version` / `ruby` directive in Gemfile
 
-After upgrading, run the project's build and test suite to confirm nothing broke:
+**5c. For each advisory, pick the highest compatible fix:**
+1. Look up the fixed-version range (scanner output, else [osv.dev](https://osv.dev) or [github.com/advisories](https://github.com/advisories)).
+2. List published versions newest-first (`npm view <pkg> versions`, `pip index versions <pkg>`, `cargo search <pkg>`, `dotnet package search <pkg>`, `gem info <pkg>`).
+3. Pick the newest version that is both in the fix range AND satisfies 5b's runtime floor. Prefer a major jump only when no lower major has a fix.
 
-```bash
-make ci
-```
+**5d. Apply via the "Override mechanism" column.** Scope narrowly when consumers disagree on major (e.g. `eslint` → `ajv@6` vs `secretlint` → `ajv@8`: override to `"parent > pkg"` not top-level).
 
-If `make ci` is not available, run whatever build/test commands the project uses (check the Makefile, CI workflow, or CLAUDE.md).
+**5e. Re-install, re-scan, iterate.** Loop 5c–5e until zero. If a previous override broke Step 4, re-scope and re-run Step 4.
 
-If tests fail:
-1. Read the failure output carefully
-2. Check the changelog / migration guide for the upgraded packages (fetch the release notes URL if available)
-3. Fix breaking changes in the code
-4. Re-run tests
-5. If stuck after 3 attempts on the same failure, report it to the user with the error details and the package that caused it
+**5f. If zero is impossible** (no fix exists, or only fix needs an unauthorised runtime bump): list each residual advisory with package, installed version, advisory ID, severity, available fix version, reason not applied, recommended action. Do NOT suppress via `--omit=dev`, `audit.level`, allowlists, `--ignore-vuln`, etc.
 
 ## Step 6 — Report
 
-Provide a summary:
-
-- Packages upgraded (old version -> new version)
-- Packages skipped (and why, e.g., major version bump without `--major` flag)
-- Build/test result after upgrade
-- Any breaking changes that were fixed
-- Any packages that could not be upgraded (with error details)
+- Packages upgraded (old → new)
+- Packages skipped (and why — major without `--major`, etc.)
+- Transitive overrides applied for security (package, version, scope, advisory IDs fixed)
+- Residual advisories with justification (from 5f), if any
+- Build/test result
 
 ## Rules
 
-- **Always list outdated packages first** before upgrading anything
-- **Always read the official docs** for the package manager before running upgrade commands
-- **Always run tests after upgrading** to catch breakage immediately
-- **Never remove packages** unless they were explicitly deprecated and replaced
-- **Never downgrade packages** unless rolling back a broken upgrade
-- **Never modify lockfiles manually** (package-lock.json, yarn.lock, Cargo.lock, etc.) — let the package manager regenerate them
-- **Commit nothing** — leave changes in the working tree for the user to review
+- List outdated first. Run tests after upgrading. Run the Step 5 scan — mandatory.
+- Never remove packages unless deprecated and replaced. Never modify lockfiles manually — let the package manager regenerate.
+- Never downgrade except to roll back a broken upgrade, or to pin a transitive via override for a security fix (Step 5d).
+- Never suppress vulnerability reports (`--omit=dev`, `audit.level`, `.audit-ci.json`, `--ignore-vuln`, etc.) — fix them.
+- Commit nothing — leave changes in the working tree.
 
 ## Success criteria
 
-- All outdated packages upgraded to latest compatible (or latest major if `--major`)
-- Build passes
-- Tests pass
-- User has a clear summary of what changed
+- Outdated packages upgraded to latest compatible (or latest major if `--major`).
+- Build and tests pass.
+- Vulnerability scanner reports **zero** advisories, or every residual one is listed and justified per 5f.
+- Report includes any transitive overrides applied for security.