Update fix-audit-vulnerabilities skill

[hnn0003]

Three targeted improvements to the fix-audit-vulnerabilities skill, identified through two-eval testing against a baseline (no skill).

Changes:

Step 2 — pnpm why is now mandatory. Previously phrased as a general suggestion. The eval showed the baseline skipped it and missed a transitive path through eslint, only discovering it accidentally. The step now explicitly states it must run before choosing a fix strategy, and instructs recording both whether the package is direct/transitive and the full dep chain.

Step 4 Option A — range guidance for direct dep bumps. The baseline pinned to an exact version ("7.0.5") instead of a range ("^7.0.5"), meaning future patches won't be picked up. Added a callout box explaining to use ^ or >= ranges so future patches are resolved automatically.

Step 7 — expanded to "Minimize the Fix Footprint". Previously only covered replacing overrides with dep bumps. Added a second check: if pnpm why showed a package is purely transitive but a direct devDependency was added just to control its version, remove it and use a scoped override instead. The eval baseline made this mistake in eval 1 (added cross-spawn as a direct dep for a purely transitive vulnerability).

Eval results: with-skill 14/14 (100%) vs baseline 11/14 (79%) across two scenarios.

[changeset-bot]

🦋 Changeset detected

Latest commit: 074e95f

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 0 packages

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR