Connect and configure these integrations:
- GitHub (required)
- Slack or Microsoft Teams (optional)
-
Configure minimum severity to report
By default, this skill will set a failed GitHub Check on any detected vulnerability. Use this parameter to specify the minimum severity to fail on.
-
Exclude development dependencies
Run
npm auditwith the--productiononly flag to exclude development dependencies from auditing. -
Exclude specific packages
Use this parameter to exclude specific npm packages from auditing and automatic updates when fixing.
-
Exclude specific npm advisories
Use this parameter to exclude specific npm advisories by their ids from auditing and automatic updates when fixing.
-
Specify how to apply fixes
Choose which fix apply option to use or choose not to apply fixes. When a fix option is selected,
npm audit fixwill be run. The following options are available:- Raise pull request for default branch; commit to other branches - with this option, fixes on the default branch will be submitted via a pull request; fixes on other branches will be committed straight onto the branch
- Raise pull request for default branch only - with this option, fixes on the default branch will be submitted via a pull request; fixes on other branches will not be persisted
- Raise pull request for any branch - with this option, fixes on all branches will be submitted via a pull request
- Commit to default branch only - with this option, fixes on the default branch will be committed straight to the branch; fixes on other branches will not be persisted
- Commit to any branch - with this option, fixes on all branches will be committed straight to the branch
- Do not fix detected vulnerabilities
Pull requests that get raised by this skill will automatically have a reviewer assigned based on the person who pushed code. Pull requests that are not needed any longer, i.e., because all security vulnerabilities were fixed manually, are closed automatically.
-
Install potentially breaking updates
Run
npm audit fixwith the--forceflag to install potentially breaking, semver-major updates. -
Configure pull request labels
Add additional labels to pull requests raised by this skill.
This is useful to influence how and when the PR should be auto-merged by the Auto-Merge Pull Requests skill.
-
Specify how to update dependencies
When there are no security vulnerabilities to fix, this skill can run
npm outdatedandnpm updateto determine and update dependencies automatically. The following options are available:- Raise pull request for default branch; commit to other branches - with this option, updates on the default branch will be submitted via a pull request; updates on other branches will be committed straight onto the branch
- Raise pull request for default branch only - with this option, updates on the default branch will be submitted via a pull request; updates on other branches will not be attempted
- Raise pull request for any branch - with this option, updates on all branches will be submitted via a pull request
- Commit to default branch only - with this option, updates on the default branch will be committed straight to the branch; updates on other branches will not be attempted
- Commit to any branch - with this option, updates on all branches will be committed straight to the branch
- DDo not update dependencies
Pull requests that get raised by this skill will automatically have a reviewer assigned based on the person who pushed code. Pull requests that are not needed any longer, i.e., because all security vulnerabilities were fixed manually, are closed automatically.
-
Determine repository scope
By default, this skill will be enabled for all repositories in all organizations you have connected.
To restrict the organizations or specific repositories on which the skill will run, you can explicitly choose organizations and repositories.
-
Activate the skill
Save your configuration and activate the skill by clicking the "Enable skill" button.
