The droid that runs dependency & CVE watch

Dependencies, patched before the audit.

A droid that keeps the codebase current and safe: it watches for vulnerable dependencies and new advisories, opens the upgrade, runs the test suite on its own machine to prove it’s safe, and files the rest — escalating only the criticals that need a human decision. The security backlog stops being the thing you face down once a year.

Same week

advisories triaged and patched — not at audit time

Tested upgrades

PRs opened green, proven on its own machine

Criticals only

humans paged for the vulnerabilities that matter

Does: Watches deps, opens tested upgrades
Where: SaaS platform team, ~15 engineers
Reaches people on: Slack
Works inside: GitHub, Linear
Runs: Daily scan + on every advisory

The situation

Security debt stays invisible until an audit makes it an emergency.

Dependencies drifted out of date because keeping them current was nobody’s favourite afternoon. Advisories piled up in a queue, each upgrade carried the risk of breaking something, and testing them by hand was exactly the kind of work that gets deferred. So security debt accumulated quietly until an audit forced a frantic month of catch-up.

And the genuinely urgent vulnerabilities — the ones being actively exploited — were easy to miss in the noise of routine version bumps. The team needed something watching every day, doing the safe upgrades with the tests already passing, and saving human attention for the criticals.

Isometric security scene: a shield with a check, a dependency tree of package boxes, a CVE warning badge and a PR merge arrow

How it works

How the droid took it on.

Rather than defer upgrades until they pile up, the team handed the watch over. Every morning the droid scans the dependencies, opens the safe upgrades with tests already passing on its own machine, files the rest, and pages a human only for a real critical.

TASK#402Dependency & CVE watchstanding

trigger: Every morning at 5:00 — a full dependency scan
also: Any new advisory, plus a weekly digest
scope: Every dependency across the repos
runs as: A contained droid action per scan — on its own sandboxed machine
memory: What we actually use, and past upgrade outcomes

Set up once, in plain language — “watch our dependencies, open the safe upgrades with the tests already passing, file the rest, and page me only for a real critical.” The droid turned that into a standing job — the security hygiene that usually only happens the month before an audit.

Every scan trips the same loop:

01Scan fires5:00am, daily
02Droid wakesOn its own machine
03Scans deps + advisories + memoryWhat's vulnerable and used
04Tests the upgradeRuns the suite in a sandbox
05Opens the PRGreen, with the advisory
06Safe to upgrade?Routine → tested PR · Needs work → file it · Critical → page security
07Posts to #engSecurity digest

Ongoing handling

How it ran, advisory after advisory.

Here’s a week of dependency-watching as it actually unfolded — across GitHub and its own machine. Only the one exploited critical ever needed a person.

Mon 5:00amscan
Scanned 312 dependencies and found 6 updates and 2 carrying advisories — none critical.
Mon 5:20amupgrade · library X
Opened a green, tested PR for a moderate vuln — full suite passing on its own machine first.
Mon 5:40ambatch
Bundled 4 patch bumps into one green PR and filed the 2 that needed real work.
Wed 11:00amquestion
Confirmed the team wasn't exposed to a trending CVE, with the usage evidence logged.
Thu 9:30amcriticalescalated
Paged security on an exploited CVE in a core dep, with blast radius and a migration plan.
Fri 4:00pmsecurity digest
The week reconciled — 11 upgraded (all green), 3 filed, 1 critical in progress with security.

See it in action

One week, advisory by advisory.

The morning scans, the advisories, and an engineer's question land on the left. Watch the droid pick up each one and work it across GitHub and its own machine — paging a human only for the critical that warrants it.

Dependency upgrades were the chore everyone deferred until an audit made it an emergency. Now they arrive as green PRs with the tests already passing, the messy ones are filed with notes, and I only get paged for a real critical. Our dependency health is just… current, all the time.

Priya R.Staff Engineer, SaaS platform

An illustrative workflow based on real product mechanics. Tool names and behaviour reflect how a droid actually triggers on a schedule, runs work on its own machine, and calls connected apps; figures are directional.

Try it with your droid

Run this workflow yourself.

Copy the brief below and paste it to your droid. It’ll walk you through the prerequisites, connect what it needs, and stand the workflow up with you.

Workflow brief

I'm a staff engineer on a ~15-person platform team, and dependency upgrades are the chore everyone defers. Advisories pile up, each upgrade risks breaking something, and testing them by hand gets deferred — so security debt accumulates quietly until an audit forces a frantic month of catch-up. Worse, the genuinely urgent, actively-exploited vulnerabilities are easy to miss in the noise of routine version bumps.

Own dependency and CVE watch. Apps/channels: GitHub (manifests, PRs, CI), Linear (filing issues that need real work), Slack #eng (the digest and paging). Use your own sandboxed machine to run upgrades and the test suite before opening anything.

Run a full dependency scan every morning, and react to new advisories. On each scan:
1. Scan every manifest and cross-check against new security advisories, prioritizing by what's actually exploitable and what we actually use.
2. For a safe upgrade, create the branch, run the full test suite on your own machine, and open a green PR with the advisory and diff attached.
3. Batch routine patch bumps into one tested PR; file the ones that need real work (a deprecated API, a config change) as Linear issues.
4. Post a weekly security digest.

When an engineer asks whether we're exposed to a CVE, check whether we actually pull in the affected module and version, and answer with evidence. Use judgment: handle and file the routine work yourself, but for a critical — actively exploited, in a core dependency, where the fix is a breaking major bump — page the security lead with the blast radius and a migration plan. Remember what we actually use and past upgrade outcomes.

What would a droid take off your desk?

Tell us the job that never gets done before close. We'll wire up a droid on a call and you can watch it work.

Try now — free Book a walkthrough