Guide for handling Dependabot alerts, dependency upgrades, and security fixes.
Prerequisites: GitHub CLI (gh) must be installed and authenticated.
Install:
# macOS
brew install gh
# Windows
winget install GitHub.cli
# Linux
# See https://github.com/cli/cli#installationAuthenticate:
gh auth loginCheck alerts:
npx ts-node scripts/check-dependabot.tsWhen asked to handle dependency upgrades, security fixes, or Dependabot issues:
Run the Dependabot checker to get current alerts.
Group alerts into categories:
- Dependency updates only - Simple version bumps in package.json
- Code changes required - Breaking changes needing code modifications
- Security fixes - CVE patches (prioritize by severity: critical > high > medium > low)
Present summary to user with counts per category.
Confirm what to address:
- All alerts in a single PR?
- Only dependency updates?
- Only security fixes above a certain severity?
- Specific packages?
For each change:
- Update package.json (or relevant package files)
- Run
yarn installto update yarn.lock - Run
yarn buildto verify build succeeds - Run
yarn testto verify tests pass - Fix any breaking changes if needed
git checkout -b dependabot-fixes-YYYY-MM-DD
git add .
git commit -m "fix: address dependabot alerts
- Update package1 to vX.Y.Z
- Update package2 to vX.Y.Z
- Fix breaking changes in ..."
git push origin dependabot-fixes-YYYY-MM-DDFollow the e2e workflow from AGENTS.md:
yarn cloud-e2e
yarn e2e-monitor {batchId}- If e2e tests fail due to code issues, fix and repeat from step 4
- If timeouts/quota errors, retry the build
- Ask user for guidance if errors persist after multiple attempts
- Always run local tests before pushing
- Group related updates together when possible
- Document breaking changes in commit messages
- Check for peer dependency conflicts after updates