Overview
Instead of ignoring PRs opened by dependency bots (Dependabot, Renovate, etc.), CodeRabbit should be configured to perform a thorough, structured analysis of dependency update PRs. This issue tracks adding dedicated path_instructions and auto_review guidance for bot-opened PRs.
Backlink: #90 (comment) (requested by @kpj2006)
Proposed Change
Update .coderabbit.yaml to add targeted review instructions for dependency update files (e.g., package.json, requirements.txt, go.mod, pyproject.toml, etc.) so that CodeRabbit performs deep compatibility analysis when bots update dependencies.
Suggested path_instructions Addition
path_instructions:
- path: >-
**/{package.json,package-lock.json,yarn.lock,requirements.txt,Pipfile,Pipfile.lock,pyproject.toml,poetry.lock,go.mod,go.sum,Cargo.toml,Cargo.lock,pom.xml,build.gradle,*.gemspec,Gemfile,Gemfile.lock}
instructions: |
This file may be modified by a dependency bot (e.g., Dependabot, Renovate).
Perform a structured dependency upgrade analysis:
**1. Version Change Assessment**
- Identify all version bumps (major, minor, patch) and flag major/minor upgrades explicitly.
- Check the official release notes, changelog, or migration guide for each upgraded package.
**2. Breaking Change Detection**
- Breaking changes: removed or renamed APIs, changed function signatures, altered behavior.
- Deprecated APIs: warn if the codebase uses anything deprecated in the new version.
- Configuration changes: new required env vars, config keys, or file structure changes.
- Security fixes: highlight CVE patches and confirm they address known vulnerabilities.
**3. Codebase Compatibility Check**
- Locate all files in the repo that import or use the upgraded dependency.
- For each usage, verify:
- No removed or renamed imports/functions are referenced.
- Constructor/function call signatures are compatible.
- Any default behavior changes do not silently break existing logic.
**4. Risk Analysis**
- Runtime errors: type mismatches, missing attributes, changed return types.
- API incompatibility: breaking interface/type changes (critical for TypeScript).
- Logical bugs: subtle behavior changes that don't throw errors but alter outcomes.
- Performance regressions: flag if release notes mention perf impacts.
**5. Edge Cases to Verify**
- Backward compatibility with currently pinned peer dependencies.
- Changes in default behavior or environment assumptions.
- Peer requirement conflicts introduced by the new version.
- For TypeScript: type/interface changes that may require type assertion updates.
**6. Migration Guidance**
- If official docs provide migration steps, summarize the required changes and flag
specific files in this repo that need updates.
- If no migration is required, confirm this explicitly.
Conclude with a **risk level**: Low / Medium / High, with justification.
Acceptance Criteria
References
Overview
Instead of ignoring PRs opened by dependency bots (Dependabot, Renovate, etc.), CodeRabbit should be configured to perform a thorough, structured analysis of dependency update PRs. This issue tracks adding dedicated
path_instructionsandauto_reviewguidance for bot-opened PRs.Backlink: #90 (comment) (requested by @kpj2006)
Proposed Change
Update
.coderabbit.yamlto add targeted review instructions for dependency update files (e.g.,package.json,requirements.txt,go.mod,pyproject.toml, etc.) so that CodeRabbit performs deep compatibility analysis when bots update dependencies.Suggested
path_instructionsAdditionAcceptance Criteria
.coderabbit.yamlupdated with the abovepath_instructionsblock for dependency manifests.template-sync.ymlworkflow propagates the updated config to child repos.References