What can go wrong with this loop?

Alert fatigue if it re-reports the whole advisory list daily — diff against the snapshot Proposes a major bump that breaks the build — gate on tests and prefer minimal/patch upgrades Misses a transitive dep if the audit tool only scans direct deps

Dependency Security Monitor

Checks your dependencies against vuln databases every day and reports only what newly changed — with a draft bump PR ready

L3 · Maintenance Generator Low risk Semi-autonomous Fixed interval tested

What it does

Catch newly disclosed vulnerabilities in your dependency tree the day they land, with the upgrade already drafted.

Stops when

continuous

Runs

Fixed interval (0 7 * * *) · Semi-autonomous

How one iteration works

discover → plan → execute → verify → escalate

1
Discover
Resolve the current dependency lockfile and check each package against vulnerability advisories.
2
Plan
Diff today's findings against yesterday's snapshot; isolate what's NEW or newly-resolved.
3
Execute
Write a status report of the delta; for each new fixable vuln, draft the minimal version bump in a branch.
4
Verify
After a draft bump, run the build + tests to confirm the upgrade doesn't break anything before proposing it.
5
Escalate
Vulns with no safe upgrade, or bumps that break the build, are flagged for human attention rather than auto-fixed.

The prompt

The tool-agnostic spec the loop runs each pass — copy it, then wire it to your tool below.

Audit the current dependencies against vulnerability advisories. Compare the findings to yesterday's snapshot and report ONLY what changed: newly disclosed vulns, and ones that are now resolved. For each new vulnerability that has a safe patch/minor upgrade, create a branch with the minimal bump, run the build and tests, and if green open a draft PR. If there's no safe upgrade or the bump breaks the build, list it under 'needs manual attention' with the advisory link. Overwrite the snapshot with today's findings. If nothing changed, say 'no new advisories'.

Claude Code

/schedule daily 7am: audit deps, report the delta, draft safe bumps

Generic

audit --json > today.json; agent -p 'diff today.json vs snapshot.json, report delta, draft safe bumps, run tests'; mv today.json snapshot.json

Memory contract

A snapshot file of yesterday's findings (package -> advisory ids). Today's run diffs against it, then overwrites it. The report only mentions the delta.

Verification & guardrails

How it checks itself. A proposed bump is only surfaced if the project builds and tests pass against the new version; otherwise it's flagged as 'needs manual upgrade'.

Opens draft PRs for bumps — never auto-merges a dependency change
Only proposes a bump after the build + tests pass with it
Reports the delta, not the full list, to avoid alert fatigue

Failure modes

Alert fatigue if it re-reports the whole advisory list daily — diff against the snapshot
Proposes a major bump that breaks the build — gate on tests and prefer minimal/patch upgrades
Misses a transitive dep if the audit tool only scans direct deps

Variations

Report-only. Drop the PR drafting and risk to 'low'; just post the daily delta to a channel.
Auto-merge patch. For patch-level bumps that pass CI, allow auto-merge (raises risk to medium) — only with strong test coverage.

Example run

1 new advisory: lodash GHSA-xxxx (high). Patch available -> drafted bump 4.17.20 -> 4.17.21, tests green, draft PR #214 opened. 1 resolved since yesterday. Snapshot updated.