Skills

dependabot-review

Installation
SKILL.md

Dependabot PR Review

Triage, classify, and merge open Dependabot PRs with risk-based assessment.

Auto-Invoke Triggers

This skill activates when:

  1. Keywords: "dependabot", "dependabot PRs", "dependency updates", "merge dependabot", "review dependabot", "dependency PRs", "bump PRs", "update dependencies"
  2. Command: /dependabot-review

Arguments

  • (no args) — Triage mode: list all open Dependabot PRs with risk classification
  • --merge-safe — Merge all PRs classified as SAFE TO MERGE (asks for target branch first)
  • --pr <number> — Deep-dive analysis of a single Dependabot PR
  • --base <branch> — Target branch for retargeting PRs before merge (skips the prompt)

Prerequisites

  • GitHub CLI (gh) authenticated with repo access
  • Repository must have open Dependabot PRs

Verify:

gh auth status

Workflow

Step 1: Fetch Open Dependabot PRs

gh pr list \
  --author "app/dependabot" \
  --state open \
  --json number,title,labels,headRefName,baseRefName,mergeable,isDraft,createdAt,statusCheckRollup \
  --limit 50

If --pr <number> was provided, fetch that single PR instead:

gh pr view <number> \
  --json number,title,body,labels,headRefName,baseRefName,mergeable,isDraft,createdAt,statusCheckRollup,additions,deletions

If no Dependabot PRs are found, report "No open Dependabot PRs found" and stop.

Step 2: Enrich Each PR

For each PR, gather additional data:

Files changed (for lockfile-only detection):

gh pr diff <number> --name-only

CI status: Extract from statusCheckRollup in the JSON. Classify as:

  • pass — all checks SUCCESS or SKIPPED
  • fail — any check FAILURE
  • pending — any check IN_PROGRESS or QUEUED
  • none — no checks ran

Step 3: Classify Each PR

Apply the risk matrix to each PR:

Parse version info from PR title:

Dependabot titles follow: build(deps): bump <package> from <old> to <new> in <path>

For grouped updates: build(deps): bump the <group> group across N directory with M updates

Determine semver delta:

  • Compare major versions: different → major
  • Compare minor versions: different → minor
  • Otherwise → patch
  • Grouped PRs: check PR body for the update table; if any update is major → treat entire PR as major

Apply classification rules:

SAFE TO MERGE

All of these must be true:

  • CI: pass (or none for lockfile-only changes)
  • Mergeable: MERGEABLE
  • AND one of:
    • Semver: patch (any dependency)
    • Semver: minor AND package matches known-safe pattern
    • Files changed: lockfile only (*-lock.*, *.lock, pnpm-lock.yaml, package-lock.json, yarn.lock, Cargo.lock, gradle.lockfile)
    • Ecosystem: github_actions AND semver: minor or patch

Known-safe patterns (safe at minor):

  • @types/* — TypeScript type definitions
  • eslint-*, prettier, @typescript-eslint/* — linters/formatters
  • @testing-library/*, @playwright/test, vitest — test tooling
  • actions/*, docker/*, hashicorp/* — CI actions (minor only)

REVIEW RECOMMENDED

  • CI: pass AND mergeable: MERGEABLE
  • AND one of:
    • Semver: minor AND direct production dependency
    • Grouped PR with no major bumps
    • Package on framework watchlist (even at minor)

Framework watchlist (always flag for review at minor+):

  • next, react, react-dom, svelte, vue, angular
  • spring-boot, kotlin, gradle
  • supabase-js, @supabase/*
  • mapbox-gl, framer-motion

REQUIRES HUMAN REVIEW

  • Any major semver bump
  • Grouped PR containing any major bump

Security Override

Security-labeled PRs stay in their normal risk tier (a security patch is still SAFE, a security minor is still REVIEW, etc.) but are always flagged with an urgency callout at the top of the report. Security + major = HUMAN REVIEW.

BLOCKED

  • CI: fail → note possible root causes (Dependabot lacks repo secrets, pre-existing failures)
  • Mergeable: CONFLICTING → suggest @dependabot rebase
  • Mergeable: UNKNOWN → suggest waiting for GitHub to compute

Step 4: Present Triage Report

Format the report as:

## Dependabot PR Triage — {owner}/{repo}
{N} open PRs found

### SAFE TO MERGE ({count})
| PR | Package | From → To | Type | Scope | CI | Files |
|----|---------|-----------|------|-------|----|-------|
| #142 | eslint | 8.56 → 8.57 | patch | dev | pass | lockfile |

### REVIEW RECOMMENDED ({count})
| PR | Package | From → To | Type | Reason | CI |
|----|---------|-----------|------|--------|----|
| #140 | next | 14.1 → 14.2 | minor | framework watchlist | pass |

### REQUIRES HUMAN REVIEW ({count})
| PR | Package | From → To | Type | Reason |
|----|---------|-----------|------|--------|
| #131 | spring-boot | 3.2 → 4.0 | major | major version bump |

### BLOCKED ({count})
| PR | Package | Issue | Suggested Action |
|----|---------|-------|-----------------|
| #129 | gradle | CI fail | Check Dependabot secrets / pre-existing lint errors |
| #127 | pnpm group | conflict | `@dependabot rebase` |

After the report, ask the user what they want to do using natural conversation.

Step 5: Execute Actions

If user chooses to merge safe PRs (or --merge-safe flag):

  1. Ask for target branch: "What branch should these PRs target? (e.g., main, develop)"
    • Skip if --base was provided
  2. Retarget if needed: For each PR where baseRefName differs from the target: 
    gh pr edit <number> --base <target-branch>
  3. Approve and merge each safe PR: 
    gh pr review <number> --approve --body "Auto-approved: safe dependency update"
gh pr merge <number> --squash
    If squash fails (repo doesn't allow squash): 
    gh pr merge <number> --merge
    If merge commits also fail: 
    gh pr merge <number> --rebase

If user chooses to rebase conflicted PRs:

gh pr comment <number> --body "@dependabot rebase"

If user chooses single PR deep-dive (--pr <number>):

Present:

  • Package name, old version → new version
  • Semver classification and risk tier
  • Release notes excerpt (from PR body)
  • Files changed list
  • CI check details (which passed, which failed)
  • Recommendation with reasoning

Step 6: Summary

After all actions, present:

## Summary
- Merged: {N} PRs ({list numbers})
- Rebased: {N} PRs ({list numbers})
- Skipped: {N} PRs ({reasons})
- Remaining: {N} PRs requiring human review

CI Failure Diagnostics

When a Dependabot PR has failing CI, check these common causes before blaming the dependency update:

  1. Missing secrets: Dependabot PRs run with read-only GITHUB_TOKEN and cannot access repo Actions secrets. Only Dependabot-specific secrets (Settings > Security > Dependabot secrets) are available. Look for errors like "Missing required environment variable" or auth failures.

  2. Lockfile-only changes: If the PR only changes lockfiles (pnpm-lock.yaml, package-lock.json, etc.), it cannot cause lint, type-check, or build failures. Flag these as pre-existing issues.

  3. Pre-existing failures: Check if the same CI checks fail on the base branch. If so, the failure is not caused by the dependency update.

Important Notes

  1. Triage is read-only by default — no merges happen unless the user explicitly requests it or uses --merge-safe
  2. Always ask for target branch before merging — never assume main or develop
  3. Grouped PRs: Parse the update table in the PR body to identify individual packages and their semver bumps
  4. Security PRs: Always surface these prominently regardless of semver level
  5. @dependabot rebase: The preferred fix for lockfile conflicts — Dependabot regenerates the lockfile against the current base

Progressive Disclosure

For more details, see:

Version

1.0.0

Related skills

More from joaquimscosta/arkhe-claude-plugins

Installs
1
Repository
joaquimscosta/a…-plugins
GitHub Stars
13
First Seen
12 days ago