From 45172ee09b13e444755b340d2535ba381a648769 Mon Sep 17 00:00:00 2001 From: kpj2006 <24ucs074@lnmiit.ac.in> Date: Thu, 5 Mar 2026 18:22:38 +0530 Subject: [PATCH 1/2] Add detailed instructions for dependency manifest and lock file reviews --- .coderabbit.yaml | 43 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 43 insertions(+) diff --git a/.coderabbit.yaml b/.coderabbit.yaml index f69abfe..2257c3d 100644 --- a/.coderabbit.yaml +++ b/.coderabbit.yaml @@ -278,3 +278,46 @@ reviews: - Proper @2x and @3x variants for different screen densities - SVG assets are optimized - Font files are licensed and optimized + + # Dependency manifest and lock files (e.g. updated by Dependabot, Renovate) + - path: >- + **/{package.json,package-lock.json,yarn.lock,requirements.txt,Pipfile,Pipfile.lock,pyproject.toml,poetry.lock,go.mod,go.sum,Cargo.toml,Cargo.lock,pom.xml,build.gradle,*.gemspec,Gemfile,Gemfile.lock} + instructions: | + This file may be modified by a dependency bot (e.g., Dependabot, Renovate). + Perform a structured dependency upgrade analysis: + + **1. Version Change Assessment** + - Identify all version bumps (major, minor, patch) and flag major/minor upgrades explicitly. + - Check the official release notes, changelog, or migration guide for each upgraded package. + + **2. Breaking Change Detection** + - Breaking changes: removed or renamed APIs, changed function signatures, altered behavior. + - Deprecated APIs: warn if the codebase uses anything deprecated in the new version. + - Configuration changes: new required env vars, config keys, or file structure changes. + - Security fixes: highlight CVE patches and confirm they address known vulnerabilities. + + **3. Codebase Compatibility Check** + - Locate all files in the repo that import or use the upgraded dependency. + - For each usage, verify: + - No removed or renamed imports/functions are referenced. + - Constructor/function call signatures are compatible. + - Any default behavior changes do not silently break existing logic. + + **4. Risk Analysis** + - Runtime errors: type mismatches, missing attributes, changed return types. + - API incompatibility: breaking interface/type changes (critical for TypeScript). + - Logical bugs: subtle behavior changes that don't throw errors but alter outcomes. + - Performance regressions: flag if release notes mention perf impacts. + + **5. Edge Cases to Verify** + - Backward compatibility with currently pinned peer dependencies. + - Changes in default behavior or environment assumptions. + - Peer requirement conflicts introduced by the new version. + - For TypeScript: type/interface changes that may require type assertion updates. + + **6. Migration Guidance** + - If official docs provide migration steps, summarize the required changes and flag + specific files in this repo that need updates. + - If no migration is required, confirm this explicitly. + + Conclude with a **risk level**: Low / Medium / High, with justification. From 888aa3126a1939f04e58e9ee0b3002612c3c2b01 Mon Sep 17 00:00:00 2001 From: kpj2006 <24ucs074@lnmiit.ac.in> Date: Thu, 5 Mar 2026 18:31:47 +0530 Subject: [PATCH 2/2] Update dependency file paths in review instructions to include pnpm and gradle lock files --- .coderabbit.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.coderabbit.yaml b/.coderabbit.yaml index 2257c3d..7249384 100644 --- a/.coderabbit.yaml +++ b/.coderabbit.yaml @@ -281,7 +281,7 @@ reviews: # Dependency manifest and lock files (e.g. updated by Dependabot, Renovate) - path: >- - **/{package.json,package-lock.json,yarn.lock,requirements.txt,Pipfile,Pipfile.lock,pyproject.toml,poetry.lock,go.mod,go.sum,Cargo.toml,Cargo.lock,pom.xml,build.gradle,*.gemspec,Gemfile,Gemfile.lock} + **/{package.json,package-lock.json,yarn.lock,pnpm-lock.yaml,npm-shrinkwrap.json,requirements.txt,Pipfile,Pipfile.lock,pyproject.toml,poetry.lock,go.mod,go.sum,Cargo.toml,Cargo.lock,pom.xml,build.gradle,build.gradle.kts,gradle.lockfile,*.gemspec,Gemfile,Gemfile.lock} instructions: | This file may be modified by a dependency bot (e.g., Dependabot, Renovate). Perform a structured dependency upgrade analysis: