← ClaudeAtlas

security-issue-deduplicatelisted

Merge two <tracker> tracking issues that describe the same root-cause vulnerability, preserving every reporter's credit, every mailing-list thread reference, and every independent attack-vector description. Updates the kept issue's body in place, closes the duplicate with the `duplicate` label, and regenerates the CVE JSON attachment so both finders land in `credits[]`.
apache/airflow-steward · ★ 19 · AI & Automation · score 80
Install: claude install-skill apache/airflow-steward
<!-- Placeholder convention (see AGENTS.md#placeholder-convention-used-in-skill-files): <project-config> → adopting project's `.apache-steward/` directory <tracker> → value of `tracker_repo:` in <project-config>/project.md (example: airflow-s/airflow-s for the Apache Airflow security team) <upstream> → value of `upstream_repo:` in <project-config>/project.md (example: apache/airflow) <cve-tool> → CVE-tool adapter directory under `tools/` named by `cve_authority.tool` in <project-config>/project.md (example: cve-tool-vulnogram for the ASF default). Before running any bash command below, substitute these with the concrete values from the adopting project's <project-config>/project.md. --> # security-issue-deduplicate Merges two `<tracker>` tracking issues that describe the same underlying vulnerability. The output is a single tracker ("the **kept** issue") that carries every reporter's credit, every mailing-list thread, and every independent report's body, with the other tracker ("the **dropped** issue") closed and labelled `duplicate`. This is **one of the few places in the security workflow** where a piece of reporter-supplied content (the dropped issue's body) moves from one tracker to another. Since the target tracker is private to `<tracker>`, no confidentiality boundary is crossed, but the skill must still preserve every reporter'