From ccd35f92ca4c428805ffb8e7efdb6d3e31a4077f Mon Sep 17 00:00:00 2001
From: Nicolas Hrubec <nico.hrubec@sentry.io>
Date: Tue, 17 Feb 2026 13:15:50 +0100
Subject: [PATCH 1/6] add security vulnerability action

---
 .../workflows/fix-security-vulnerability.yml  | 38 +++++++++++++++++++
 1 file changed, 38 insertions(+)
 create mode 100644 .github/workflows/fix-security-vulnerability.yml

diff --git a/.github/workflows/fix-security-vulnerability.yml b/.github/workflows/fix-security-vulnerability.yml
new file mode 100644
index 000000000000..38ed19e4ec45
--- /dev/null
+++ b/.github/workflows/fix-security-vulnerability.yml
@@ -0,0 +1,38 @@
+name: Fix Security Vulnerability
+
+on:
+  dependabot_alert:
+    types: [created]
+  workflow_dispatch:
+    inputs:
+      alert:
+        description: 'Dependabot alert number or URL (e.g. 1046 or https://github.com/getsentry/sentry-javascript/security/dependabot/1046)'
+        required: true
+
+concurrency:
+  group: fix-security-vuln-${{ github.event.alert.number || github.event.inputs.alert }}
+  cancel-in-progress: false
+
+jobs:
+  fix-vulnerability:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      pull-requests: write
+      issues: write
+      security-events: read
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          ref: develop
+
+      - uses: anthropics/claude-code-action@v1
+        with:
+          anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
+          prompt: |
+            /fix-security-vulnerability ${{ github.event.alert.number || github.event.inputs.alert }}
+
+            IMPORTANT: Do NOT dismiss any alerts. Do NOT wait for approval.
+            Create a branch, apply the fix, and open a PR with your analysis
+            in the PR description. Target the develop branch.
+          claude_args: "--max-turns 20"

From 4b02e8d18205c6619a700b04140408d7e273fca1 Mon Sep 17 00:00:00 2001
From: Nicolas Hrubec <nico.hrubec@sentry.io>
Date: Tue, 17 Feb 2026 13:23:31 +0100
Subject: [PATCH 2/6] yarn fix

---
 .github/workflows/fix-security-vulnerability.yml | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/fix-security-vulnerability.yml b/.github/workflows/fix-security-vulnerability.yml
index 38ed19e4ec45..dc2973b109d8 100644
--- a/.github/workflows/fix-security-vulnerability.yml
+++ b/.github/workflows/fix-security-vulnerability.yml
@@ -6,7 +6,9 @@ on:
   workflow_dispatch:
     inputs:
       alert:
-        description: 'Dependabot alert number or URL (e.g. 1046 or https://github.com/getsentry/sentry-javascript/security/dependabot/1046)'
+        description:
+          'Dependabot alert number or URL (e.g. 1046 or
+          https://github.com/getsentry/sentry-javascript/security/dependabot/1046)'
         required: true
 
 concurrency:
@@ -35,4 +37,4 @@ jobs:
             IMPORTANT: Do NOT dismiss any alerts. Do NOT wait for approval.
             Create a branch, apply the fix, and open a PR with your analysis
             in the PR description. Target the develop branch.
-          claude_args: "--max-turns 20"
+          claude_args: '--max-turns 20'

From 4d086916eac4393319d236185e8eaf37add89a16 Mon Sep 17 00:00:00 2001
From: Nicolas Hrubec <nico.hrubec@sentry.io>
Date: Tue, 17 Feb 2026 13:30:09 +0100
Subject: [PATCH 3/6] remove issues write permission

---
 .github/workflows/fix-security-vulnerability.yml | 1 -
 1 file changed, 1 deletion(-)

diff --git a/.github/workflows/fix-security-vulnerability.yml b/.github/workflows/fix-security-vulnerability.yml
index dc2973b109d8..bd91328ad7db 100644
--- a/.github/workflows/fix-security-vulnerability.yml
+++ b/.github/workflows/fix-security-vulnerability.yml
@@ -21,7 +21,6 @@ jobs:
     permissions:
       contents: write
       pull-requests: write
-      issues: write
       security-events: read
     steps:
       - uses: actions/checkout@v4

From 403503093706ea8760308216fc4af5fcad504937 Mon Sep 17 00:00:00 2001
From: Nicolas Hrubec <nico.hrubec@sentry.io>
Date: Wed, 18 Feb 2026 09:10:00 +0100
Subject: [PATCH 4/6] update workflow

---
 .github/workflows/fix-security-vulnerability.yml | 15 +++++++++++++--
 1 file changed, 13 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/fix-security-vulnerability.yml b/.github/workflows/fix-security-vulnerability.yml
index bd91328ad7db..93ba6420a8c5 100644
--- a/.github/workflows/fix-security-vulnerability.yml
+++ b/.github/workflows/fix-security-vulnerability.yml
@@ -22,6 +22,7 @@ jobs:
       contents: write
       pull-requests: write
       security-events: read
+      issues: write
     steps:
       - uses: actions/checkout@v4
         with:
@@ -34,6 +35,16 @@ jobs:
             /fix-security-vulnerability ${{ github.event.alert.number || github.event.inputs.alert }}
 
             IMPORTANT: Do NOT dismiss any alerts. Do NOT wait for approval.
-            Create a branch, apply the fix, and open a PR with your analysis
-            in the PR description. Target the develop branch.
+
+            If you can fix the vulnerability:
+              Create a branch, apply the fix, and open a PR with your analysis
+              in the PR description. Target the develop branch.
+
+            If you determine the alert should NOT be fixed (version-specific test package,
+            false positive, no upstream fix available, dev-only acceptable risk, etc.):
+              Do NOT dismiss the alert. Instead, open a GitHub issue with:
+              - Title: "Security: Dismiss Dependabot alert #<number> - <package-name>"
+              - Label: "Security"
+              - Body: Include the full vulnerability details, your analysis,
+                the recommended dismissal reason, and why the alert cannot/should not be fixed.
           claude_args: '--max-turns 20'

From f99bf8e082fce107dd4d589797d4aa984905dd57 Mon Sep 17 00:00:00 2001
From: Nicolas Hrubec <nico.hrubec@sentry.io>
Date: Wed, 18 Feb 2026 09:47:09 +0100
Subject: [PATCH 5/6] simplify

---
 .github/workflows/fix-security-vulnerability.yml | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/.github/workflows/fix-security-vulnerability.yml b/.github/workflows/fix-security-vulnerability.yml
index 93ba6420a8c5..9594d86ffa67 100644
--- a/.github/workflows/fix-security-vulnerability.yml
+++ b/.github/workflows/fix-security-vulnerability.yml
@@ -40,8 +40,7 @@ jobs:
               Create a branch, apply the fix, and open a PR with your analysis
               in the PR description. Target the develop branch.
 
-            If you determine the alert should NOT be fixed (version-specific test package,
-            false positive, no upstream fix available, dev-only acceptable risk, etc.):
+            If you determine the alert should NOT be fixed:
               Do NOT dismiss the alert. Instead, open a GitHub issue with:
               - Title: "Security: Dismiss Dependabot alert #<number> - <package-name>"
               - Label: "Security"

From c5b538965c5a5d38987eb47626e4c8d46a87b5e3 Mon Sep 17 00:00:00 2001
From: Nicolas Hrubec <nico.hrubec@sentry.io>
Date: Wed, 18 Feb 2026 16:07:34 +0100
Subject: [PATCH 6/6] add tools

---
 .github/workflows/fix-security-vulnerability.yml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/fix-security-vulnerability.yml b/.github/workflows/fix-security-vulnerability.yml
index 9594d86ffa67..1ff86d89109b 100644
--- a/.github/workflows/fix-security-vulnerability.yml
+++ b/.github/workflows/fix-security-vulnerability.yml
@@ -46,4 +46,5 @@ jobs:
               - Label: "Security"
               - Body: Include the full vulnerability details, your analysis,
                 the recommended dismissal reason, and why the alert cannot/should not be fixed.
-          claude_args: '--max-turns 20'
+          claude_args: |
+            --max-turns 20 --allowedTools "Bash(gh api *),Bash(gh pr create *),Bash(gh issue create *),Bash(yarn why *),Bash(yarn install*),Bash(yarn dedupe-deps:*),Bash(npm view *),Bash(git *)"