// Keep dependencies up-to-date. Discovers outdated deps via dependabot alerts/PRs, creates one PR per ecosystem, iterates until CI is green, then assigns for review.
| name | update-deps |
| description | Keep dependencies up-to-date. Discovers outdated deps via dependabot alerts/PRs, creates one PR per ecosystem, iterates until CI is green, then assigns for review. |
| user-invocable | true |
Automate the full dependency update lifecycle: discover what's outdated, apply updates grouped by ecosystem, fix breakage, get CI green, and hand off for human review.
This is a Rust workspace containing utility crates published to crates.io. All dependency update PRs target the main branch.
Dependabot is configured (.github/dependabot.yaml) to open PRs against main on the 2nd of each month. This skill gathers individual dependabot PRs, combines updates by ecosystem, fixes any breakage, gets CI green, and creates consolidated PRs for human review.
| Crate | Description |
|---|---|
| bpe | Fast byte-pair encoding |
| bpe-openai | OpenAI tokenizers built on bpe |
| geo_filters | Probabilistic cardinality estimation |
| string-offsets | UTF-8/UTF-16/Unicode position conversion (with WASM/JS bindings) |
Supporting packages (not published): bpe-tests, bpe-benchmarks.
| Ecosystem | Directories | Notes |
|---|---|---|
| cargo | / (workspace root) | Deps declared per-crate; Cargo.lock at workspace root pins versions |
| github-actions | .github/workflows/ | CI and publish workflows |
| npm | crates/string-offsets/js/ | JS bindings for string-offsets (WASM) |
make build # cargo build --all-targets --all-features
make build-js # npm run compile in crates/string-offsets/js
make lint # cargo fmt --check + cargo clippy (deny warnings, forbid unwrap_used)
make test # cargo test + doc tests
CI runs on ubuntu-latest with the mold linker. The lint job depends on build.
Determine the repo identity and confirm the target branch.
git remote get-url origin # extract owner/repo
git fetch origin main
git rev-parse --verify origin/main
Detect which ecosystems have pending updates:
[ -f Cargo.toml ] && echo "cargo"
ls .github/workflows/*.yml .github/workflows/*.yaml 2>/dev/null && echo "github-actions"
[ -f crates/string-offsets/js/package.json ] && echo "npm"
Report discovered ecosystems to the user.
Fetch open dependabot PRs:
gh pr list --author 'app/dependabot' --base main --state open --json number,title,headRefName,labels --limit 100
Fetch open dependabot alerts:
gh api --paginate /repos/{owner}/{repo}/dependabot/alerts --jq '[.[] | select(.state=="open") | {number: .number, package: .security_vulnerability.package.name, ecosystem: .security_vulnerability.package.ecosystem, severity: .security_advisory.severity, summary: .security_advisory.summary}]'
For ecosystems without dependabot coverage or when running ad-hoc, use native tooling:
cargo update --dry-runpackage.json, then run npm outdated --json || true in each (npm exits non-zero when updates exist)Also fetch the advisory URLs for any security-related updates. Individual alert details are at https://github.com/{owner}/{repo}/security/dependabot/{alert_number}. Fetch alert numbers and GHSA IDs via:
gh api --paginate /repos/{owner}/{repo}/dependabot/alerts --jq '[.[] | {number: .number, state, package: .security_vulnerability.package.name, ecosystem: .security_vulnerability.package.ecosystem, severity: .security_advisory.severity, ghsa_id: .security_advisory.ghsa_id, summary: .security_advisory.summary}]'
Include both open and auto_dismissed/dismissed alerts — the update may resolve alerts in any state.
Cross-reference and group all updates by ecosystem. Present a summary to the user:
Flag high-risk upgrades. Before proceeding, explicitly call out upgrades that carry elevated risk:
serde, itertools, regex-automata, wasm-bindgen, criterion, and the Rust toolchain itselfPresent the risk assessment to the user and recommend which upgrades to include vs. defer. When in doubt, prefer a smaller, safe update over an ambitious one that might break.
For each selected ecosystem, starting from main:
git checkout main
git pull origin main
git checkout -b deps/{ecosystem}-updates-$(date +%Y-%m-%d)
Apply updates using ecosystem-appropriate tooling:
cargo:
cargo update
# For major bumps, edit Cargo.toml version constraints then:
cargo check
This is a Cargo workspace — always run from the repo root. All crate Cargo.toml files are in crates/. The Cargo.lock at the root is the single source of truth.
npm:
cd crates/string-offsets/js
npm update
npm install
github-actions:
.github/workflows/ for uses: directivesAlways run:
make lint # cargo fmt --check + clippy with deny warnings
make test # cargo test with backtrace
make build # full workspace build (all targets, all features)
If npm dependencies changed:
make build-js # npm compile for string-offsets JS binding
If the build/lint/test fails:
If still failing after 3 iterations, report the situation to the user and ask for guidance. Do not push broken code.
Stage all changes and commit with a descriptive message:
git add -A
git commit -m "chore(deps): update {ecosystem} dependencies
Updated packages:
- package-a: 1.0.0 → 2.0.0
- package-b: 3.1.0 → 3.2.0
{If code changes were needed:}
Fixed breaking changes:
- Updated X API usage for package-a v2
Supersedes: #{dependabot_pr_1}, #{dependabot_pr_2}
"
Push the branch:
git push -u origin HEAD
Title: chore(deps): update {ecosystem} dependencies
Body should include:
https://github.com/{owner}/{repo}/security/dependabot/{alert_number}) and the GHSA advisory (https://github.com/advisories/GHSA-xxxx-xxxx-xxxx), along with severity and summaryWrite the body to a temp file and create the PR targeting main:
gh pr create --title "chore(deps): update {ecosystem} dependencies" --body-file /tmp/deps-pr-body.md --base main
rm /tmp/deps-pr-body.md
Watch the PR's checks:
gh pr checks {pr_number} --watch --fail-fast
If checks fail:
gh run list --branch {branch} --status failure --json databaseId,name --limit 1
gh run view {run_id} --log-failed
Analyze the failure — CI runs on ubuntu-latest with mold linker, which may differ from local builds.
Fix the issue locally, commit, and push:
git add -A
git commit -m "fix: resolve CI failure in {ecosystem} dep update
{Brief description of what failed and why}"
git push
Monitor again. Repeat up to 3 iterations total.
If still failing after 3 pushes, report to the user with the failure details and ask for help.
For each dependabot PR that this update supersedes:
gh pr close {dependabot_pr_number} --comment "Superseded by #{new_pr_number} which includes this update along with other {ecosystem} dependency updates."
Request review from CODEOWNERS or a user-provided reviewer (not the PR author):
gh pr edit {pr_number} --add-reviewer {reviewer_login}
Report the final PR URL and a summary of what was done.
main. There is no separate dev branch.main directly. Always work on a feature branch.make lint and make test. If you can't fix it in 3 tries, stop and ask.Cargo.lock and package-lock.json after updating — don't just edit manifests.unwrap_used outside tests and denies all warnings. New dependency versions may trigger new clippy lints — fix them.Cargo.lock at the workspace root. Always run cargo update and cargo check from the repo root.package.json files to discover npm packages rather than hardcoding paths — the repo layout may change.wasm-bindgen or related deps, verify make build-js still works — WASM toolchain version mismatches are common.gh api hits rate limits, wait and retry. Report to user if persistent.main and retry: git fetch origin main && git rebase origin/main.deps/{ecosystem}-updates-{date} already exists, append a counter or ask user.