Claude Code + `pnpm audit` / CVE Triage: When Dependency Scans Trigger Blocks (2026)

Why Claude Code blocks CVE and pnpm audit workflows and how to triage dependencies without Usage Policy errors.

Dependency audit output is a wall of CVE IDs, severity labels, and advisory text mentioning exploits. That is catnip for cyber classifiers.

The pnpm audit + RLS combo

Issues report both in one session triggering Cyber Verification Program escalation — disproportionate for routine SaaS dev.

Run audit in terminal yourself; feed Claude/Icelake one CVE at a time with upgrade context. Separate sessions for policy review vs package bumps.

Agents that run audit and ask for fix PRs in one loop are high risk for blocks — architect around classifier limits.

No filters, no lecture, no training on your chats. Start in under a minute.

CVE triage is defensive work — your AI backend should behave like it.

Can I paste npm audit JSON?

Large paste increases keyword density. Summarize or chunk advisories.