Fixing 20 Security Vulnerabilities with Claude Code: A Real-World Case Study
Learn how to fix GitHub Dependabot alerts efficiently using Claude Code. Covers npm audit, pnpm overrides, and handling transitive dependencies across multiple projects.
Every developer has faced this: GitHub Dependabot shows a wall of red security alerts, and you’re not sure where to start. This article documents how I used Claude Code to clear 20 security vulnerabilities in about 20 minutes.
The Problem
My project had 3 subprojects with security issues:
| Project | Vulnerabilities | Severity |
|---|---|---|
| mcp-director-mode-server | 8 | 1 high, 7 moderate |
| claude-world-mcp-app | 1 | 1 high |
| 07-product-app | 10 | 4 high, 6 moderate |
| Total | 20 | 6 high, 14 moderate |
Key vulnerabilities:
@modelcontextprotocol/sdk- Cross-client data leak (HIGH)wrangler- OS Command Injection (HIGH)hono- XSS, Cache Deception, IP Spoofing (MODERATE)esbuild,lodash,undici- Various moderate issues
Fixing with Claude Code
Step 1: Let Claude Analyze
Me: Fix all security vulnerabilities in the subprojects
Claude: Let me check the package.json files first...
[Reads mcp-director-mode-server/package.json]
[Reads claude-world-mcp-app/package.json]
[Reads 07-product-app/package.json]
I see 07-product-app is a monorepo. Let me check the workspace packages...Step 2: Update Direct Dependencies
npm projects:
# mcp-director-mode-server
npm install @modelcontextprotocol/sdk@^1.26.0 --save
npm audit fix --force # vitest 2.x → 4.x
# claude-world-mcp-app
npm install @modelcontextprotocol/sdk@^1.26.0 --savepnpm monorepo:
# 07-product-app
pnpm update hono@latest -r
pnpm update wrangler@latest -rStep 3: Handle Transitive Dependencies
This is the critical part. Some vulnerabilities come from indirect dependencies:
@astrojs/cloudflare → wrangler@4.50.0 → miniflare → undici@7.14.0 (vulnerable)You can’t directly update undici because it’s a dependency of a dependency.
Solution: pnpm overrides
Add to package.json:
{
"pnpm": {
"overrides": {
"wrangler@>=4.0.0 <4.59.1": ">=4.59.1",
"undici@>=7.0.0 <7.18.2": ">=7.18.2",
"esbuild@<=0.24.2": ">=0.25.0",
"lodash@>=4.0.0 <=4.17.22": ">=4.17.23"
}
}
}Then reinstall:
pnpm install
pnpm audit # verifyThe Actual Conversation
Starting the Fix
Me: Fix all GitHub Dependabot security vulnerabilities
Claude: Let me check all three projects' package.json files...
[Reads mcp-director-mode-server/package.json]
[Reads claude-world-mcp-app/package.json]
[Reads 07-product-app/package.json]
Found that 07-product-app is a monorepo, checking workspace packages...Parallel Execution
Claude executed three updates simultaneously:
# Running in parallel
cd mcp-director-mode-server && npm install @modelcontextprotocol/sdk@^1.26.0
cd claude-world-mcp-app && npm install @modelcontextprotocol/sdk@^1.26.0
cd 07-product-app && pnpm update hono@latest wrangler@latest -rHandling Remaining Vulnerabilities
Claude: 07-product-app still has 4 vulnerabilities from transitive dependencies.
I'll add pnpm overrides to package.json...
[Edits 07-product-app/package.json]
[Runs pnpm install]
[Runs pnpm audit]
Result: No known vulnerabilities foundFinal Verification
Claude: Verifying all projects:
✅ mcp-director-mode-server: 0 vulnerabilities
✅ claude-world-mcp-app: 0 vulnerabilities
✅ 07-product-app: 0 vulnerabilities
Total: All 20 vulnerabilities fixedKey Techniques Learned
1. When to Use npm audit fix
npm audit fix # Safe updates (respects semver)
npm audit fix --force # Force updates (may have breaking changes)Tip: Try npm audit fix first. Only use --force if needed, then run tests.
2. pnpm overrides vs npm overrides
| Feature | pnpm | npm |
|---|---|---|
| Syntax | pnpm.overrides | overrides |
| Conditional syntax | "pkg@>=1.0 <2.0": ">=2.0" | Not supported |
| Applies on | pnpm install | npm install |
pnpm’s conditional syntax is more powerful—you can precisely specify “only override vulnerable version ranges.”
3. Working with Monorepos
pnpm update <pkg>@latest -r # -r = recursive, updates all workspaces
pnpm update <pkg> --filter @scope/pkg # Update specific package only4. Verifying the Fix
# Local verification
npm audit / pnpm audit
# GitHub Dependabot rescans 5-10 minutes after push
git push
# Wait, then check GitHub Security tabWhy Use Claude Code?
Traditional manual fixing:
1. Read Dependabot alerts
2. Research each vulnerability advisory
3. Determine which are direct vs indirect dependencies
4. Decide update strategy
5. Manually run npm/pnpm commands
6. Handle breaking changes
7. Run tests to verify nothing brokeWith Claude Code:
1. Describe the problem: "Fix all security vulnerabilities"
2. Claude analyzes + executes + verifies automatically
3. Review Claude's changes
4. CommitTime saved: From 1-2 hours of research + execution → 20 minutes of conversation
Summary
| Item | Result |
|---|---|
| Vulnerabilities | 20 → 0 |
| Time spent | ~20 minutes |
| Projects | 3 (npm + pnpm monorepo) |
| Key technique | pnpm overrides for transitive deps |
Key insight: Security vulnerability fixing is one of the best use cases for Claude Code—
- Clear task definition (audit report is the spec)
- Easy verification (audit passing = success)
- Requires multi-file operations
Next time you see Dependabot alerts, just hand them to Claude Code.