// Interact with Dependabot and Snyk pull requests for dependency upgrades and security fixes. Documents Dependabot commands, javax/jakarta compatibility checks, safe merge workflows, and troubleshooting. Use when managing dependency upgrade PRs or security fix PRs.
Monitors Dependabot and Snyk dependency upgrade PRs, automatically merging them when builds pass. Handles javax/jakarta compatibility validation and provides detailed status reporting. Use when the user says "monitor PRs", "watch builds", "auto-merge PRs", "merge passing PRs", or "watch dependency PRs".
Deep adversarial code review using the 8-lens review constitution. Examines diffs for correctness, security, completeness, and MockServer-specific concerns (ByteBuf leaks, module boundaries, javax/jakarta compatibility, ring buffer sizing). Use when performing pre-commit reviews, quality-loop iterations, or on-demand code audits. Loaded by review-cheap and review-final agents.
Deep adversarial specification review using the 8-lens review constitution. Evaluates design documents, plans, and specs for ambiguity, completeness, feasibility, security, and MockServer-specific concerns. Loaded by review-cheap and review-final agents.
Builds and pushes the MockServer Maven CI Docker image locally. Covers corporate CA certificate setup, architecture selection (amd64 vs arm64), buildx gotchas with corporate TLS proxies, and Docker Hub authentication. Use when the user says "build docker image", "push maven image", "rebuild CI image", "docker build", "push to docker hub", or needs to manually build/push the mockserver/mockserver:maven image outside of CI.
Prepares a MockServer release by recommending the release version from Semantic Versioning rules and `changelog.md`, checking release readiness, and listing the exact Buildkite release parameters. Use when users say "prepare release", "release version", "run the release pipeline", "which version should we release", or need to verify changelog and secret readiness before triggering the release pipeline.
Investigates AWS infrastructure issues affecting Buildkite build agents (EC2, AutoScaling, Lambda). Returns structured JSON to the parent for formatting. Triggers when users ask about build agents not running, EC2 issues, ASG scaling problems, or infrastructure health.
| name | dependabot-snyk-pr-management |
| description | Interact with Dependabot and Snyk pull requests for dependency upgrades and security fixes. Documents Dependabot commands, javax/jakarta compatibility checks, safe merge workflows, and troubleshooting. Use when managing dependency upgrade PRs or security fix PRs. |
Interact with Dependabot and Snyk pull requests for dependency upgrades and security fixes.
Use when:
IMPORTANT: Before merging, rebasing, or closing any PR:
app/dependabot or a Snyk botgit add . — stage explicit files onlyDependabot responds to commands in PR comments. All commands are invoked via @dependabot <command>.
Response behavior: Dependabot reacts with 👍 and may take several minutes to process the command.
| Command | Purpose | When to Use |
|---|---|---|
@dependabot rebase | Rebase PR onto latest base branch | When PR is behind master or needs to pick up recent fixes |
@dependabot recreate | Close and recreate PR from scratch | When PR is in a bad state or has conflicts |
@dependabot merge | Merge PR (if all checks pass) | To auto-merge via Dependabot (alternative: gh pr merge --auto) |
@dependabot squash and merge | Squash and merge PR | Preferred for dependency bumps to keep history clean |
@dependabot cancel merge | Cancel a previously requested merge | If you change your mind |
@dependabot close | Close PR without merging | To reject an upgrade |
@dependabot reopen | Reopen a closed PR | To reconsider a previously rejected upgrade |
@dependabot ignore this dependency | Never upgrade this dependency | For permanently pinned dependencies |
@dependabot ignore this major version | Skip this major version | When major version requires code changes |
@dependabot ignore this minor version | Skip this minor version | When minor version has issues |
@dependabot ignore this patch version | Skip this patch version | When patch version has issues |
@dependabot show <dep> ignore conditions | Show current ignore rules for dependency | Before removing ignore rules |
@dependabot unignore <dep> | Remove all ignore rules for dependency | Re-enable upgrades for a specific dependency |
Note: Ignore commands create repository-level preferences. For team visibility, also update .github/dependabot.yml when adding permanent ignore rules.
Rebase a Dependabot PR:
gh pr comment <PR_NUMBER> --body "@dependabot rebase"
Merge a Dependabot PR (preferred: use GitHub native merge):
# Preferred: GitHub native merge with auto-merge when checks pass
gh pr merge <PR_NUMBER> --squash --auto
# Alternative: delegate to Dependabot
gh pr comment <PR_NUMBER> --body "@dependabot squash and merge"
Ignore a major version:
gh pr comment <PR_NUMBER> --body "@dependabot ignore this major version"
Close and reject an upgrade:
gh pr comment <PR_NUMBER> --body "@dependabot close"
When a Dependabot PR fails due to a flaky test or a fix has been merged to master:
Ask Dependabot to rebase:
gh pr comment <PR_NUMBER> --body "@dependabot rebase"
Dependabot will:
Monitor the rebuild:
gh pr checks <PR_NUMBER> --watch
This is the preferred method for re-triggering builds on Dependabot PRs because:
Snyk creates PRs to fix security vulnerabilities. These PRs are created by the Snyk bot and follow similar patterns to Dependabot.
Review the vulnerability:
Test the fix:
Merge or close:
gh pr merge <PR_NUMBER> --squashjakarta namespace: close and document workaround (pin old version or accept vulnerability)Snyk bot does not respond to comments like Dependabot. To manage Snyk PRs:
Merge (preferred):
gh pr merge <PR_NUMBER> --squash
Close:
gh pr close <PR_NUMBER>
Rebase:
Snyk PRs cannot be safely rebased via git commands because:
Safe alternatives:
Dependabot is configured in .github/dependabot.yml. Always check that file for the complete, authoritative configuration.
Key ecosystems:
/mockserver) - Java dependencies, weekly schedule Monday, 10 PR limit/.opencode) - OpenCode config dependencies, weekly schedule Monday, 5 PR limit/) - Workflow dependencies, weekly schedule Monday, 5 PR limitjavax/jakarta compatibility blocks:
The configuration blocks major-version upgrades for dependencies that would force the jakarta namespace before the javax→jakarta migration is scheduled. See the ignore section in .github/dependabot.yml for the authoritative list, which currently includes:
jakarta namespace)jakarta namespace)javax.servlet:* ≥ 5jakarta.xml.bind ≥ 3, jakarta.activation ≥ 2, jakarta.validation ≥ 3Problem: Buildkite build fails on Dependabot PR due to intermittent test failure.
Solution:
gh pr view <PR_NUMBER>
gh pr checks <PR_NUMBER>
gh pr comment <PR_NUMBER> --body "@dependabot rebase"
Problem: PR shows "This branch is out-of-date with the base branch".
Solution:
gh pr comment <PR_NUMBER> --body "@dependabot rebase"
Problem: Many Dependabot PRs have passed checks and are ready to merge.
Solution (SAFE - requires checks and confirmation):
# List all open Dependabot PRs with passing checks
gh pr list --author app/dependabot --state open --json number,title,statusCheckRollup \
--jq '.[] | select(.statusCheckRollup | all(.conclusion == "SUCCESS" or .conclusion == null)) | {number: .number, title: .title}'
# Review the list, then merge each individually:
gh pr merge <PR_NUMBER> --squash --auto
# Alternative: ask Dependabot to merge (after verifying checks)
gh pr comment <PR_NUMBER> --body "@dependabot squash and merge"
WARNING: Do NOT use a blind loop. Always verify:
Problem: Dependabot PR shows merge conflicts.
Solution:
# Ask Dependabot to recreate the PR (resolves conflicts automatically)
gh pr comment <PR_NUMBER> --body "@dependabot recreate"
If recreate fails, close the PR and wait for Dependabot to create a new one.
Problem: Dependabot proposes a major version upgrade that requires code changes (e.g., Spring 5 → 6).
Solution:
# Ignore this major version
gh pr comment <PR_NUMBER> --body "@dependabot ignore this major version"
Then update .github/dependabot.yml for team visibility:
ignore:
- dependency-name: "org.springframework:*"
update-types: ["version-update:semver-major"]
Problem: Snyk creates PR to fix CVE-2024-12345 (critical severity).
Solution:
gh pr merge <PR_NUMBER> --squash --auto
jakarta namespace, investigate before mergingMockServer targets Java 17 as the minimum supported version but still uses the javax namespace throughout. When reviewing Dependabot PRs, always check for upgrades that force the jakarta namespace.
See the javax/jakarta compatibility policy in ../../../AGENTS.md and the Snyk policy in ../../../.snyk for version ceilings.
# Check the PR diff for blocked dependencies
gh pr diff <PR_NUMBER> | grep -E "(springframework|jakarta|jetty|tomcat\.embed)"
If Dependabot proposes a dependency that forces the jakarta namespace:
Close the PR:
gh pr comment <PR_NUMBER> --body "@dependabot close"
Ignore the major version:
gh pr comment <PR_NUMBER> --body "@dependabot ignore this major version"
Update .github/dependabot.yml:
ignore:
- dependency-name: "<dependency-pattern>"
versions: [">=<major>"]
Symptoms: Comment posted but Dependabot doesn't respond.
Causes & Solutions:
@dependabot rebase, not @dependabot please rebaseapp/dependabotDebugging:
Symptoms: Dependabot comments "I couldn't rebase due to conflicts."
Solution:
# Try recreate instead (creates fresh PR from latest base)
gh pr comment <PR_NUMBER> --body "@dependabot recreate"
If recreate also fails, close the PR and wait for Dependabot to create a new one on its next run.
Symptoms: Snyk upgrades a dependency but tests fail.
Causes:
Solution:
gh pr diff <PR_NUMBER>
gh pr checkout <PR_NUMBER>
cd mockserver && ./mvnw clean test