// Analyzes a Dependabot PR to determine what actually changed in each bumped package and whether those changes affect this repo. Reports changed APIs/methods, which doc pages use them, and the realistic probability of any visible impact on the docs site.
| name | dependabot-review |
| description | Analyzes a Dependabot PR to determine what actually changed in each bumped package and whether those changes affect this repo. Reports changed APIs/methods, which doc pages use them, and the realistic probability of any visible impact on the docs site. |
Load this skill when asked to review, analyze, assess, or verify a Dependabot PR.
Give the reviewer a clear answer to: does this version bump require any action beyond merging?
gh pr view <PR_NUMBER> --repo cloudflare/cloudflare-docs --json title,body
Parse the PR body to extract package name(s) and version range (old → new). Dependabot PRs always include this in structured form.
For grouped PRs, there will be multiple packages. Process each one.
Check in this order — stop at the first that works:
gh release list --repo <upstream-repo> then gh release view <tag>gh api repos/<upstream>/contents/CHANGELOG.md (decode base64)npm view <package>@<new-version> changelog or the registry pagegh api repos/<upstream>/compare/<old-tag>...<new-tag> --jq '.commits[].commit.message'
Focus only on the commits/entries between old and new version. Ignore unrelated history.
From the changelog/diff, identify:
Ignore: internal refactors, CI changes, test changes, type-only changes that don't affect emitted JS.
Run these searches against the local codebase. Do not skip this step.
# Direct import anywhere in source
grep -r "from ['\"]<package>['\"]" src/ worker/ bin/ --include="*.ts" --include="*.tsx" --include="*.mjs" --include="*.js" --include="*.astro" -l
# require() usage
grep -r "require(['\"]<package>['\"]" src/ worker/ bin/ -l
# Is it a direct or transitive dependency?
grep '"<package>"' package.json
# If transitive, who pulls it in?
node -e "const lock = require('./pnpm-lock.yaml'); ..."
# or just:
grep -A2 '"<package>"' pnpm-lock.yaml | grep -v "^--$" | head -20
If the package is not directly imported anywhere, it is transitive. Identify which direct dependency pulls it in by checking pnpm-lock.yaml.
If the package is directly imported, find which source files use the specific APIs that changed:
# For each changed method/export, search for callsites
grep -r "<method_name>\|<export_name>" src/ worker/ bin/ --include="*.ts" --include="*.tsx" --include="*.astro" -l
For Astro/MDX source files under src/content/docs/, map them to their route:
src/content/docs/workers/get-started/index.mdx → /workers/get-started/src/content/docs/pages/platform/limits.mdx → /pages/platform/limits/If more than ~5 files use the changed API, list a representative sample (pick the most prominent product areas).
Rate the probability that this bump causes a visible change to the docs site:
| Rating | Meaning |
|---|---|
| None | Package not used directly; transitive only; or only internal/type changes |
| Very Low | Direct dependency, but changed APIs are not called in this repo |
| Low | Changed APIs are called, but only in build tooling (not runtime or content rendering) |
| Medium | Changed APIs affect content rendering (Astro components, MDX processing, syntax highlighting) |
| High | Changed APIs affect output seen by users — rendered HTML, search index, Worker behavior |
For security fixes: note what the vulnerability affects and whether our usage is in the vulnerable code path.
## <package-name>: <old-version> → <new-version>
**Type of update:** [security fix | bug fix | feature | breaking change]
**Dependency type:** [direct | transitive (pulled in by <package>)]
### What changed
- <bullet: specific API/behavior change>
- <bullet: ...>
### Usage in this repo
<"Not used directly — transitive only" OR list of files/callsites>
### Affected doc pages (sample)
- `/product/section/page/` — uses `<method>`
- (none)
### Impact rating: <None | Very Low | Low | Medium | High>
<1–2 sentence explanation of the rating>
If the PR bumps multiple packages, repeat the block for each. End with a one-line recommendation:
Dependabot opens security PRs immediately, regardless of dependabot.yml schedule. This is expected. The schedule.day setting only applies to version updates.
Security PRs are also not grouped with other packages — each gets its own PR. This is also expected GitHub behavior.
For grouped PRs (non-major group), the PR body lists each package separately. Process each package independently through steps 2–6, then give a combined recommendation.
If a package has no changelog and the upstream repo is private or unavailable:
npm diff <package>@<old> <package>@<new>Evaluate a GitHub issue or pull request and decide if it is spam or clearly off-topic for cloudflare/cloudflare-docs.
Creates, updates, and reviews product changelog entries for the Cloudflare documentation site. Load when generating changelog MDX files, editing existing entries, reviewing changelog style, or validating frontmatter.
Reviews Workers and Cloudflare Developer Platform code for type correctness, API usage, and configuration validity. Load when reviewing TypeScript/JavaScript using Workers APIs, wrangler.jsonc/toml config, or Cloudflare bindings (KV, R2, D1, Durable Objects, Queues, Vectorize, AI, Hyperdrive).
Reviews documentation PRs and provides GitHub PR suggestions. Load when asked to review, suggest changes, or provide feedback on docs content. Covers MDX, frontmatter, style guide, components, and content accuracy.
Creates and updates GitHub pull requests for cloudflare-docs changes. Load when asked to open, create, submit, update, edit, or write a title or description for a PR. Covers title conventions, PR body structure, and the documentation checklist template.
Transform technical jargon into clear explanations using before/after comparisons, metaphors, and practical context