Resolve Dependabot PRs
You are resolving open Dependabot dependency update PRs on GitHub repositories. Follow this methodology precisely.
Prerequisites
- •
ghCLI authenticated with access to the target repo(s) - •The project's package manager installed (bun, npm, yarn, or pnpm)
- •Write access to push fixes and merge PRs
Arguments
- •No arguments: process the current git repo (uses
originremote to determine owner/repo) - •
--all: find all git repos in the current directory and process each one in parallel using a Claude team (one agent per repo) - •
--dry-run: assess and report on all PRs without merging, fixing, or closing anything - •
owner/repo: process a specific GitHub repo
Flags can be combined, e.g. --all --dry-run.
Raw arguments: $ARGUMENTS
Step 1: Determine Target Repos
If --all flag is present:
- •Run
find . -maxdepth 2 -name .git -type dto discover repos - •Create a Claude team with one agent per repo
- •Each agent runs the PR resolution workflow below independently
- •Coordinate results and present a unified summary
Otherwise, determine the single target repo:
- •If a
owner/repoargument is given, use that - •Otherwise, parse the current repo from
git remote get-url origin
Step 2: List Open PRs
gh pr list --repo OWNER/REPO --state open --json number,title,author,mergeable,mergeStateStatus,headRefName,labels,statusCheckRollup
Filter to Dependabot PRs (author login contains "dependabot"). If there are no open Dependabot PRs, report that and stop.
Step 3: Fetch Changelogs
For each PR, before assessing risk, try to fetch release notes or changelogs:
- •From the PR body itself (Dependabot usually includes a changelog summary)
- •From GitHub releases of the dependency:
bash
gh api repos/OWNER/DEPENDENCY/releases/latest --jq '.body' 2>/dev/null
- •Look for CHANGELOG.md or MIGRATION.md in the updated package:
bash
cat node_modules/PACKAGE/CHANGELOG.md 2>/dev/null | head -100
Use this information to anticipate breaking changes before testing. If the changelog explicitly mentions breaking changes or migration steps, factor that into the risk assessment and keep the info handy for Step 7 (fixing).
Step 4: Assess Each PR
For each PR, get the diff:
gh pr diff NUMBER --repo OWNER/REPO
Categorize each PR by risk level:
Low Risk (merge directly)
- •Patch version bumps (e.g., 1.2.3 -> 1.2.5)
- •Minor version bumps of dev dependencies (e.g., prettier 3.1 -> 3.2)
- •Dependencies with no peer dependency constraints
Medium Risk (test first, then merge)
- •Minor version bumps of runtime dependencies
- •Major bumps of dev-only tools (linters, formatters) - test lint/compile
- •Any bump of dependencies used in the project's core functionality
High Risk (likely breaking)
- •Major version bumps of core dependencies (react, react-native, etc.)
- •Version bumps that create mismatches with pinned peer dependencies (e.g., react-dom bumped but react stays pinned)
- •Bumps incompatible with framework SDK constraints (e.g., Expo SDK pins)
Always cross-reference with the "Common Breaking Change Patterns" section below and any changelog info from Step 3.
Step 5: Detect Package Manager
Before testing, detect the project's package manager:
- •
bun.lockorbun.lockb-> bun - •
yarn.lock-> yarn - •
pnpm-lock.yaml-> pnpm - •
package-lock.json-> npm
Use the detected package manager for all install/run commands throughout.
Step 6: Test Risky PRs Locally
For medium/high risk PRs:
- •Stash current changes:
git stash --include-untracked - •Fetch remote branches:
git fetch origin - •For each PR, checkout its package changes and test:
bash
git checkout origin/BRANCH -- package.json <pkg-manager> install --no-save # or equivalent flag
- •Run the project's validation commands (check
package.jsonscripts):- •TypeScript compile check (e.g.,
tsc --noEmit, or acompilescript) - •Lint (e.g.,
lint:checkorlintscript) - •Tests (e.g.,
testscript)
- •TypeScript compile check (e.g.,
- •Restore after each test:
git checkout main -- package.json && <pkg-manager> install
Step 7: Take Action
If --dry-run is set, skip this step entirely. Just report the assessment from Step 9.
For safe/passing PRs: MERGE
gh pr merge NUMBER --repo OWNER/REPO --merge
For PRs that need fixes: FIX then MERGE
- •Checkout the PR branch:
git checkout BRANCH - •Install dependencies
- •Make the necessary code changes (API migrations, config updates, mock updates, etc.)
- •Use changelog/migration guide info from Step 3 to inform the fix
- •Commit with a clear message explaining the fix
- •Push to the PR branch
- •Merge the PR
For broken/incompatible PRs: CLOSE with explanation
gh pr close NUMBER --repo OWNER/REPO --comment "Reason for closing..."
Always include a clear, specific reason:
- •"Incompatible with X which requires Y"
- •"Major version change requires migration of Z, not automated"
- •"Version mismatch: A stays at X while B would be Y"
Step 8: Auto-Learn (after fixing novel breaking changes)
When you successfully fix a breaking change that is NOT already listed in the "Common Breaking Change Patterns" section below, add it.
Rules for auto-learn
- •
Only record generalizable patterns. The entry should help with ANY project that hits this upgrade, not just the current one. Example of good: "react-native-mmkv 3 -> 4:
new MMKV()->createMMKV()". Example of bad: "fixed import in src/utils/storage.ts". - •
One line per pattern. Format:
**package X -> Y**: brief description of what changed and how to fix it. - •
Cap at 30 entries per subsection. If a subsection hits 30, consolidate the oldest/most obvious entries (e.g., merge multiple similar patterns into one) to make room. Remove patterns for packages that haven't been relevant in multiple runs.
- •
Don't duplicate. If a similar pattern already exists, update it rather than adding a new one.
- •
Where to write. Edit the SKILL.md file directly in the skill's directory. The file location depends on where the skill is installed:
- •Personal:
~/.claude/skills/resolve-prs/SKILL.md - •Project:
.claude/skills/resolve-prs/SKILL.md - •Plugin: find via
ls ~/.claude/plugins/*/skills/resolve-prs/SKILL.md
Use the Edit tool to append to the appropriate subsection under "Common Breaking Change Patterns".
- •Personal:
Step 9: Cleanup
- •Return to the main/default branch
- •Pull merged changes
- •Restore any stashed work:
git stash pop
Step 10: Report
Present a summary table:
| PR | Title | Risk | Action | Reason |
|---|---|---|---|---|
| #N | ... | Low/Medium/High | Merged / Fixed & Merged / Closed / Would merge (dry-run) / Would close (dry-run) | ... |
If --dry-run, use "Would merge", "Would close", "Would fix & merge" in the Action column.
If any new patterns were learned, mention them at the bottom:
Learned N new breaking change pattern(s) - the skill will handle these automatically next time.
Common Breaking Change Patterns
Reference these when assessing PRs. This is not exhaustive - always verify by testing. New patterns are added automatically via auto-learn (Step 8).
JavaScript / TypeScript Ecosystem
- •ESLint 8 -> 9+: Requires flat config migration (
.eslintrc.*->eslint.config.js). Check ifeslint-config-*packages support flat config before merging. - •Jest major bumps: Often incompatible with framework-specific jest presets (
jest-expo,react-scripts). Check the preset's peer dependencies. - •TypeScript major bumps: Check if all
@types/*packages and build tools ship compatible definitions. - •Prettier major bumps: Usually safe but may reformat code - check if CI enforces formatting.
React / React Native
- •react-dom without react: Must always match the
reactversion exactly. - •react-native-mmkv 3 -> 4: Constructor changed from
new MMKV()tocreateMMKV(),.delete()renamed to.remove(), requires Nitro Modules jest mock. - •Expo SDK pins: Many dependencies are pinned by Expo SDK version. Verify with
npx expo install --fix. Don't bump packages that Expo constrains. - •React Navigation major bumps: Often requires simultaneous updates of all
@react-navigation/*packages.
Python
- •Django major bumps: Check middleware, URL config, and deprecated feature removals.
- •SQLAlchemy 1.x -> 2.x: Query API completely changed.
General
- •Peer dependency mismatches: If package A requires
B@^2.0but the PR bumps B to 3.0, close it. - •Monorepo grouped updates: If one package in the group is breaking, the whole PR fails. Consider asking Dependabot to split it.