fix-dependabot
Fix a Dependabot PR by updating all monorepo instances of the dependency, running bun install, and pushing
How do I install this agent skill?
npx skills add https://github.com/remotion-dev/remotion --skill fix-dependabotIs this agent skill safe to install?
- Gen Agent Trust Hubpass
The skill simplifies monorepo dependency management by automating updates after a Dependabot PR. It uses common tools like git and bun to ensure project consistency. The primary security consideration is the ingestion of PR metadata into shell commands, which is handled as a standard part of the developer workflow.
- Socketpass
No alerts
- Snykwarn
Risk: MEDIUM · 1 issue
What does this agent skill do?
Dependabot PRs only update one package.json and never run bun install, so the bun.lock file is out of date and other packages in the monorepo still reference the old version. This skill fixes both problems.
Steps
-
Get PR info — Use
gh pr view <number> --json headRefName,files,title,bodyto identify the branch name, which dependency was bumped, and the old/new versions. -
Checkout the branch:
git fetch origin <branch>
git checkout <branch>
- Update all monorepo instances — Dependabot only touches one package. Search for all other
package.jsonfiles that reference the same dependency at the old version and update them too:
rg '"<dependency>": "[~^]?<old-version>"' --glob '**/package.json'
Update every match to the new version. Preserve the prefix style (^, ~, or exact) that each package already uses.
-
Run
bun installfrom the repo root to regeneratebun.lock. -
Verify — Run
git statusto confirm onlybun.lockand the expectedpackage.jsonfiles were modified. If other unexpected files changed, investigate before proceeding. -
Commit and push:
git add -u
git commit -m "Update <dependency> to <version> across all monorepo packages"
git push
- Switch back — Return to your previous branch (usually
main):
git checkout main
Notes
- Dependabot says "Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself" — but updating the lockfile and sibling packages is the expected workflow and won't cause issues.
- If the version bump is a major version (e.g. vite 5 → 6), consider whether the upgrade is appropriate or if it should be ignored. Check for breaking changes.
- If
bun installfails, the dependency version may have conflicts with other packages. In that case, close the PR and comment explaining why.
How can the creator link this skill?
Add the canonical catalog link to the repository README so users can inspect current installs and available audits. The publishing guide covers the complete discovery path.
<a href="https://skillzs.dev/skills/remotion-dev/remotion/fix-dependabot">View fix-dependabot on skillZs</a>