一键导入
update-deps
Dependabot-aware dependency updates with security audit, real-CI validation, and a unified PR. Framework-agnostic.
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
菜单
Dependabot-aware dependency updates with security audit, real-CI validation, and a unified PR. Framework-agnostic.
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
基于 SOC 职业分类
Create a pull request with auto-generated description, issue linking, ROADMAP updates, and PR-metadata validation.
Merge a pull request with status checks, squash merge, and branch cleanup. Handles worktree contexts.
Fan out a batch of autopilot-queued issues to parallel background worktree subagents — each runs /autopilot — with an Opus gating review on every Sonnet-built PR.
Detailed technical walkthrough covering architecture, test coverage, product tour, and key design decisions.
Pre-PR advisory check for deviations from the project spec. Read-only analysis.
Generate a hands-on QA testing guide as a self-contained HTML page — for Rails apps or static (Hugo) sites. --publish uploads the HTML to the project's configured QA host.
| name | update-deps |
| description | Dependabot-aware dependency updates with security audit, real-CI validation, and a unified PR. Framework-agnostic. |
| disable-model-invocation | true |
Update project dependencies safely: reconcile open Dependabot PRs into one unified change, run the project's security audit, validate boot-affecting changes against the real CI environment, and open a single PR — instead of stopping at local commits.
This skill is framework-agnostic. It detects the project's package manager, test/lint commands, audit suite, and CI workflow rather than assuming a stack.
--dry-run: Show what would be updated without making changes--major: Include major version updates (default: minor/patch only)--package <name>: Update specific package only--skip-tests: Skip running tests between updatesDetect → Reconcile Dependabot → Update → Audit → Validate on real CI → Open PR → Verify auto-close
Each stage feeds the next. Don't skip the audit or the real-CI validation for boot-affecting changes — those are the two stages that catch what local tests can't.
Detect both the package manager and the project's real entry points. The runners below are common defaults, not assumptions — always confirm against what the repo actually uses.
package.json (npm/yarn/pnpm) — check the lockfile to disambiguateGemfile (bundler)requirements.txt / pyproject.toml (pip/poetry/uv)Cargo.toml (cargo)go.mod (go modules)bin/ci, bin/test, script/test, or a Makefile/Justfile target is the canonical gate — use it if present.tsc, mypy, etc..github/workflows/*.yml and identify the workflow that runs on the default branch and the jobs it contains.Before making any changes, find out what Dependabot already has in flight:
gh pr list --app dependabot --state open --json number,title,headRefName,body
Keep the safe, category-by-category loop:
--major. Isolate a risky major into its own commit — or its own PR — so it can be rolled back cleanly without reverting the safe bumps.--skip-tests: skip test execution.require:), a renamed config key. These are where "the tests pass but boot breaks" lives.This is the highest-value stage on a dependency PR — not an afterthought. After updates, run the project's detected audit suite and fold any newly surfaced fix into this PR (a fresh advisory is in-scope, not a separate task):
| Ecosystem | Audit tools (detect what's present) |
|---|---|
| Ruby | bundler-audit; plus brakeman and importmap audit on Rails |
| Node | npm audit, yarn npm audit, pnpm audit |
| Python | pip-audit, safety |
| Rust | cargo audit |
| Go | govulncheck |
If the project's CI gate (e.g. bin/ci) already runs these, run that gate rather than invoking each tool separately.
A change that touches the manifest (the Gemfile, package.json, pyproject.toml — not just the lockfile) can alter what loads at boot. Local gates cannot catch a failure caused by a system library that happens to be installed on the dev machine but missing on one CI job. Validate those changes on the actual CI environment before recommending merge:
gh workflow run <ci-workflow> --ref <branch>
gh run watch # or: gh run list --branch <branch>
Do this when:
require:/load behavior, version constraint change), and/orLockfile-only patch bumps with a green local gate generally don't need a dedicated CI run.
Stop-at-commits is not the finish line. Open one PR for the reconciled set, following the project's PR conventions — hand off to the /create-pr skill (it generates the description, links issues, and updates the ROADMAP). Summarize in the PR body: the bumps grouped by category, the Dependabot PRs this supersedes, any CVE fixed, and the result of the real-CI run.
After the PR merges, expect Dependabot to auto-close the superseded PRs on its own — verify it did rather than pre-emptively closing them:
gh pr list --app dependabot --state open
dependabot/dependabot-core#13606) — close it manually with a note. Don't duplicate Dependabot's behavior or race its rebase.The lessons this workflow encodes, worth keeping in mind when a situation doesn't fit the steps above:
npm outdated # check
npm update <pkg> # update
bundle outdated
bundle update <gem>
pip list --outdated
poetry show --outdated && poetry update <pkg>
cargo outdated
cargo update <pkg>
go list -u -m all
go get -u <pkg>
1.2.3 → 1.2.4.1.2.3 → 1.3.0.--major) — breaking changes, e.g. 1.2.3 → 2.0.0. Isolate for clean rollback.Use Conventional Commits format from global CLAUDE.md:
chore(deps): update dependencies
Security updates:
- erb: 6.0.1 → 6.0.3 (CVE-2026-41316)
Patch updates:
- rails: 7.1.3 → 7.1.5
Minor updates:
- image_processing: 1.12 → 2.0
Breaking changes:
- image_processing 2.0 requires ruby-vips; added with require: false
so a missing libvips does not crash boot.
Follow dependency best practices from global CLAUDE.md: