Stats
Actions
Tags
From dep-update-merge
Bundle and merge dependency update PRs/MRs into a single verified change. Use when asked to merge dependency updates, combine Dependabot or Renovate PRs, batch dependency bumps, update dependencies, or consolidate open dependency PRs. Also use when asked to check changelogs for dependency updates, verify that dependency bumps are safe, or create a bundled dependency update branch. Also use when asked to set up, configure, or onboard this skill.
How this skill is triggered — by the user, by Claude, or both
Slash command
/dep-update-merge:dep-update-mergeThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
> Bundles open dependency-update PRs/MRs into one verified change with changelog analysis and breaking change triage.
Bundles open dependency-update PRs/MRs into one verified change with changelog analysis and breaking change triage.
Platform integration and project-specific checks are defined separately in your project's rules. Build, test, and lint commands are not configured here — the skill uses whatever your project already has in CLAUDE.md or .claude/rules/.
When asked to set up, configure, onboard, or create a rules file for this skill:
.claude/rules/, CLAUDE.md) to understand what is already configured. Do not duplicate build, test, or lint commands — those are project-level concerns that belong in the project's own configuration, not here..github/dependabot.yml, renovate.json, .renovaterc) and package manifests (Gemfile, package.json, go.mod, etc.)..claude/rules/dep-update-merge.md containing only the user's choices. Omit any decision where the user accepts the default — the skill's built-in behavior handles those.If the user accepts all defaults and no choices were made, confirm that no rules file is needed and stop.
List all open PRs/MRs and identify those that are dependency updates.
If your project defines how to list and filter dependency-update PRs/MRs (platform command, label filter, author filter), follow that. Otherwise, list all open PRs/MRs and identify dependency updates by examining titles and authors for common patterns: titles containing "bump", "update", "upgrade", or "chore(deps)", and authors matching common bot names such as "dependabot" or "renovate".
Present the discovered list to the user with: PR/MR number, title, source branch, dependency name, and version range (old → new). Ask the user to confirm which PRs/MRs to include before proceeding.
If no dependency-update PRs/MRs are found, report that and stop.
What to defer to a human: Deciding whether a PR/MR that looks like a dependency update but has non-standard formatting or an unexpected author should be included. When in doubt, ask rather than assume.
For each confirmed dependency, find and read the changelog or release notes covering the version range being applied.
If your project defines how to retrieve changelogs (registry URL convention, local vendored changelogs, changelog location pattern), follow that. Otherwise, attempt to find changelogs by:
Classify each update as:
Produce a summary table:
| Dependency | Old Version | New Version | Classification | Notable Changes |
|---|
Flag any update that contains deprecation notices, migration guides, required code changes, or sections explicitly labeled "breaking changes."
If a changelog cannot be found for a dependency, flag it as "changelog unavailable" and treat it as uncertain.
What to defer to a human: Verifying that a change labeled "non-breaking" is truly non-breaking for how this specific project uses that dependency. Changelogs are written by the dependency author and may understate impact. A human familiar with the codebase should review any flagged update.
If any updates from Phase 2 were classified as breaking or flagged as uncertain, present them with their changelog summaries and ask the user how to proceed:
If the user chooses to exclude any updates, remove them from the working set and note them as "deferred — breaking changes detected" in the Phase 6 report.
If no breaking changes or uncertain updates were found in Phase 2, skip this phase entirely and proceed to Phase 4.
Create a single working branch that combines all selected dependency updates.
deps/bundled-updates (or follow your project's branch naming convention)If conflicts arise between updates, stop and report them. Do not silently resolve conflicts — present the conflicting updates and ask whether to resolve manually, exclude one of the conflicting updates, or abort.
What to defer to a human: Resolving merge conflicts that require understanding of how two dependency updates interact. Some conflicts are mechanical; others require knowing which version's behavior the project needs.
Run the project's full verification suite on the combined branch and compare results against the default branch.
Run the project's build, test, and lint commands as already configured in its rules, CLAUDE.md, or project configuration files. This skill does not define its own build or test commands — those are project-level concerns. Look for them in .claude/rules/, CLAUDE.md, and common project files (Makefile, package.json scripts, etc.).
If no build or test commands are configured anywhere in the project, report that Phase 5 requires project-level configuration (in CLAUDE.md or .claude/rules/) and stop. Do not ask the user to configure commands through this skill.
Capture the full output. Report a clear pass/fail.
If the build or tests fail:
After the build and tests pass, compare warnings against the default branch baseline. Scan build and test output for lines matching common warning patterns: "warning", "WARN", "deprecated", "deprecation notice".
Run the same commands on the default branch (or compare against a stored baseline if available). Report:
If new warnings were introduced, report them and ask whether to proceed or investigate. The goal is zero new warnings, but the user decides the threshold.
What to defer to a human: Diagnosing build failures that require domain knowledge about the project's architecture or the dependency's internals. Evaluating whether a new warning is acceptable or indicates upcoming breakage.
Produce a summary report:
## Dependency Bundle: <branch-name>
### Bundled Updates
| Dependency | Old Version | New Version | Classification | Notes |
|------------|-------------|-------------|----------------|-------|
### Deferred Updates
| Dependency | Old Version | New Version | Reason Deferred |
|------------|-------------|-------------|-----------------|
### Verification
- Build: PASS / FAIL
- Tests: PASS / FAIL
- Lint: PASS / FAIL / SKIPPED
- New warnings: N
### Branch
<branch-name> — ready for review
If your project defines how to create the final PR/MR or how to post the output (platform command, PR template), follow that. Otherwise, output the report to stdout and leave the branch ready for the user to create a PR/MR manually.
What to defer to a human: The final decision to merge. This skill prepares and verifies the combined change but does not merge to the default branch. A human must review the bundle and approve the merge.
Safety first. Never merge automatically. The skill prepares a verified bundle; a human decides to ship it.
Transparency. Every exclusion, conflict, warning, and failure is reported. Nothing is silently skipped or resolved.
Platform-agnostic. The methodology works regardless of forge or CI system. Platform specifics live in the companion rules file.
Reproducible. Alphabetical merge order and explicit conflict reporting mean the same inputs produce the same bundle.
Conservative on breaking changes. Default to offering exclusion of breaking updates rather than silently including them. The user can always opt in.
npx claudepluginhub agilefreaks/claude-skills --plugin dep-update-mergeConsolidates open Dependabot PRs into one tested branch and PR, grouped by ecosystem and risk, with baseline-diff verification and operator approval before merging.
Reviews open Dependabot PRs, classifies by risk (patch/minor/major/security/lockfile-only), merges safe ones via GitHub CLI, and advises on others. Use for dependency update triage.
Scans projects for outdated npm/pip/Cargo/Go/Ruby packages. Runs CVE audit, fetches changelogs, summarizes breaking changes with Gemini, and opens one PR per risk group (patch/minor/major).