SRVKP-12532: CVE skill enhancement by preserving yarn.lock during analysis and adding npm ls evidence

.cursor/skills/fix-cves/SKILL.md

@@ -162,11 +162,11 @@ Before switching branches, verify the working tree is clean with `git status --p
 ```bash
 git checkout <branch>
 git pull upstream <branch>
-rm -rf node_modules yarn.lock
+rm -rf node_modules dist
 yarn install
 ```
 
-**Critical**: Always remove both `node_modules` and `yarn.lock` and reinstall to regenerate the dependency graph from scratch and avoid stale resolutions.
+**Critical**: Keep `yarn.lock` during initial install — it ensures analysis runs against the exact versions deployed on this branch. Only remove `yarn.lock` after applying resolutions (see `resolution` strategy below).
 
 ### 2b. Analyze each CVE
 
@@ -243,7 +243,7 @@ $ npm ls --all <pkg>
 <npm ls output>
 ```
 
-The evidence comes from the analyze-deps script output (`yarnWhyRaw` field).
+The evidence comes from the analyze-deps script output (`yarnWhyRaw` and `npmLsRaw` fields).
 
 **If using paste mode (Mode A)**, print the comment to the user so they can manually post it on the Jira ticket.
 
@@ -293,7 +293,12 @@ The package is transitive and no parent upgrade resolves it. Add or update the
 ```
 
 Merge with existing resolutions (currently: `webpack`, `@types/d3-dispatch`,
-`@types/d3-selection`). Then run `yarn install`.
+`@types/d3-selection`). Then regenerate the lockfile:
+
+```bash
+rm -rf node_modules yarn.lock
+yarn install
+```
 
 **Resolutions are a last resort.** Only use when neither direct-upgrade nor
 parent-upgrade is possible.
@@ -332,6 +337,8 @@ Please advise on next steps:
 - Use an alternative remediation approach
 ```
 
+The evidence comes from the analyze-deps script output (`yarnWhyRaw` and `npmLsRaw` fields).
+
 **If using paste mode (Mode A)**, print the triage comment to the user so they can manually post it on the Jira ticket or forward it to the reporter.
 
 Mark this CVE as `triaged` in the tracking table and skip it.

scripts/fix-cves/analyze-deps.ts

@@ -30,6 +30,7 @@ interface AnalysisResult {
     | 'triage-needed';
   reason: string;
   yarnWhyRaw: string;
+  npmLsRaw: string;
 }
 
 interface CLIArgs {
@@ -148,11 +149,7 @@ function getAllInstalledVersions(pkg: string): string[] {
   return [...versions];
 }
 
-function findVersions(
-  node: any,
-  pkg: string,
-  versions: Set<string>,
-): void {
+function findVersions(node: any, pkg: string, versions: Set<string>): void {
   if (!node || typeof node !== 'object') return;
   if (node.dependencies) {
     for (const [name, dep] of Object.entries<any>(node.dependencies)) {
@@ -264,6 +261,7 @@ function isVersionSatisfied(installed: string, required: string): boolean {
 function main(): void {
   const args = parseArgs();
   const { raw: yarnWhyRaw, chains } = getYarnWhy(args.package);
+  const npmLsRaw = runCmd('npm', ['ls', '--all', args.package]).trimEnd();
   const currentVersion = getCurrentVersion(args.package);
 
   // Full-tree check: verify ALL installed copies satisfy the fix, not just the
@@ -291,6 +289,7 @@ function main(): void {
       strategy: 'already-remediated',
       reason: `All ${installedVersions.length} installed copy/copies satisfy >= ${args.fixedVersion}`,
       yarnWhyRaw,
+      npmLsRaw,
     };
     console.log(JSON.stringify(result, null, 2));
     return;
@@ -345,6 +344,7 @@ function main(): void {
     strategy,
     reason,
     yarnWhyRaw,
+    npmLsRaw,
   };
 
   console.log(JSON.stringify(result, null, 2));