From 9b0d3ca8e9d585101a7234342974374cb16d2ec4 Mon Sep 17 00:00:00 2001 From: vnz <1267662+vnz@users.noreply.github.com> Date: Mon, 26 Jan 2026 16:21:15 +0100 Subject: [PATCH 1/5] refactor(dependabot): restructure skill to recommended subdirectory format v1.3.0 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Migrate from legacy flat structure to modern subdirectory structure: - skills/dependabot.md → skills/dependabot/SKILL.md - Extract ecosystem tables to references/ecosystems.md This enables progressive disclosure - Claude loads SKILL.md first, then fetches reference files only when needed, reducing token usage. Structure now follows official Claude Code plugin best practices. Co-Authored-By: Claude Opus 4.5 --- .claude-plugin/marketplace.json | 2 +- plugins/dependabot/.claude-plugin/plugin.json | 2 +- .../{dependabot.md => dependabot/SKILL.md} | 45 +++-------------- .../dependabot/references/ecosystems.md | 49 +++++++++++++++++++ 4 files changed, 57 insertions(+), 41 deletions(-) rename plugins/dependabot/skills/{dependabot.md => dependabot/SKILL.md} (80%) create mode 100644 plugins/dependabot/skills/dependabot/references/ecosystems.md diff --git a/.claude-plugin/marketplace.json b/.claude-plugin/marketplace.json index bfa89bb..1fd9aaf 100644 --- a/.claude-plugin/marketplace.json +++ b/.claude-plugin/marketplace.json @@ -29,7 +29,7 @@ { "name": "dependabot", "description": "Check for dependency updates using Dependabot CLI with auto-detection of package managers", - "version": "1.2.0", + "version": "1.3.0", "source": "./plugins/dependabot", "category": "development", "author": { diff --git a/plugins/dependabot/.claude-plugin/plugin.json b/plugins/dependabot/.claude-plugin/plugin.json index 6adb08e..11f6709 100644 --- a/plugins/dependabot/.claude-plugin/plugin.json +++ b/plugins/dependabot/.claude-plugin/plugin.json @@ -1,6 +1,6 @@ { "name": "dependabot", - "version": "1.2.0", + "version": "1.3.0", "description": "Check for dependency updates using Dependabot CLI with auto-detection of package managers", "license": "MIT", "author": { diff --git a/plugins/dependabot/skills/dependabot.md b/plugins/dependabot/skills/dependabot/SKILL.md similarity index 80% rename from plugins/dependabot/skills/dependabot.md rename to plugins/dependabot/skills/dependabot/SKILL.md index f130742..c75cca8 100644 --- a/plugins/dependabot/skills/dependabot.md +++ b/plugins/dependabot/skills/dependabot/SKILL.md @@ -1,4 +1,5 @@ --- +name: dependabot description: This skill should be used when the user asks to "check dependencies", "find outdated packages", "scan for updates", "use dependabot", "run dependabot", "check for security updates", "what needs updating", or requests dependency scanning for specific ecosystems like npm, terraform, or github-actions. Supports scanning all ecosystems or specific ones with "use dependabot for ". --- @@ -6,6 +7,9 @@ description: This skill should be used when the user asks to "check dependencies Scan for dependency updates using the official Dependabot CLI and optionally create PRs for found updates. +**Reference files:** +- `references/ecosystems.md` - Complete list of supported ecosystems with aliases and detection methods + ## 1. Prerequisites Check Before running, verify the required tools are installed: @@ -36,48 +40,11 @@ Analyze the user's trigger phrase: - **"use dependabot for npm"** → Scan only `npm_and_yarn` ecosystem - **"use dependabot for github-actions"** or **"use dependabot for actions"** → Scan only `github_actions` ecosystem -Map common aliases to Dependabot CLI ecosystem values: -| User Says | CLI Ecosystem | -|-----------|---------------| -| npm, yarn, pnpm | `npm_and_yarn` | -| github-actions, actions, workflows | `github_actions` | -| terraform, tf | `terraform` | -| go, golang | `go_modules` | -| python, pip, pipenv | `pip` | -| ruby, bundler, gems | `bundler` | -| rust, cargo | `cargo` | -| docker | `docker` | -| maven, java | `maven` | -| gradle | `gradle` | -| composer, php | `composer` | -| nuget, dotnet, csharp | `nuget` | -| helm | `helm` | -| dart, flutter, pub | `pub` | -| swift | `swift` | -| elixir, hex | `hex` | +For the complete ecosystem alias mapping and detection methods, see `references/ecosystems.md`. ## 3. Ecosystem Auto-Detection -If scanning all ecosystems, detect which are present using file existence checks: - -| Ecosystem | CLI Value | Detection Method | -|-----------|-----------|------------------| -| GitHub Actions | `github_actions` | Glob: `.github/workflows/*.yml` or `.github/workflows/*.yaml` | -| Terraform | `terraform` | Glob: `*.tf` or `**/*.tf` (check root and subdirs) | -| npm/yarn/pnpm | `npm_and_yarn` | File exists: `package.json` | -| Go | `go_modules` | File exists: `go.mod` | -| Python (pip) | `pip` | File exists: `requirements.txt`, `pyproject.toml`, `Pipfile`, or `setup.py` | -| Ruby | `bundler` | File exists: `Gemfile` | -| Rust | `cargo` | File exists: `Cargo.toml` | -| Docker | `docker` | Glob: `Dockerfile` or `*.dockerfile` or `docker-compose.yml` | -| Maven | `maven` | File exists: `pom.xml` | -| Gradle | `gradle` | File exists: `build.gradle` or `build.gradle.kts` | -| Composer | `composer` | File exists: `composer.json` | -| NuGet | `nuget` | Glob: `*.csproj` or `packages.config` or `*.fsproj` | -| Helm | `helm` | File exists: `Chart.yaml` | -| Pub (Dart) | `pub` | File exists: `pubspec.yaml` | -| Swift | `swift` | File exists: `Package.swift` | -| Hex (Elixir) | `hex` | File exists: `mix.exs` | +If scanning all ecosystems, detect which are present using file existence checks. See `references/ecosystems.md` for the full detection table. Report detected ecosystems to the user before proceeding: > "Detected ecosystems: npm_and_yarn, github_actions, terraform" diff --git a/plugins/dependabot/skills/dependabot/references/ecosystems.md b/plugins/dependabot/skills/dependabot/references/ecosystems.md new file mode 100644 index 0000000..19cd7f4 --- /dev/null +++ b/plugins/dependabot/skills/dependabot/references/ecosystems.md @@ -0,0 +1,49 @@ +# Supported Ecosystems Reference + +This file contains the complete mapping of user aliases to Dependabot CLI ecosystem values, and the detection methods for auto-discovery. + +## Ecosystem Alias Mapping + +Map common user phrases to Dependabot CLI ecosystem values: + +| User Says | CLI Ecosystem | +|-----------|---------------| +| npm, yarn, pnpm | `npm_and_yarn` | +| github-actions, actions, workflows | `github_actions` | +| terraform, tf | `terraform` | +| go, golang | `go_modules` | +| python, pip, pipenv | `pip` | +| ruby, bundler, gems | `bundler` | +| rust, cargo | `cargo` | +| docker | `docker` | +| maven, java | `maven` | +| gradle | `gradle` | +| composer, php | `composer` | +| nuget, dotnet, csharp | `nuget` | +| helm | `helm` | +| dart, flutter, pub | `pub` | +| swift | `swift` | +| elixir, hex | `hex` | + +## Ecosystem Auto-Detection + +Detect which ecosystems are present using file existence checks: + +| Ecosystem | CLI Value | Detection Method | +|-----------|-----------|------------------| +| GitHub Actions | `github_actions` | Glob: `.github/workflows/*.yml` or `.github/workflows/*.yaml` | +| Terraform | `terraform` | Glob: `*.tf` or `**/*.tf` (check root and subdirs) | +| npm/yarn/pnpm | `npm_and_yarn` | File exists: `package.json` | +| Go | `go_modules` | File exists: `go.mod` | +| Python (pip) | `pip` | File exists: `requirements.txt`, `pyproject.toml`, `Pipfile`, or `setup.py` | +| Ruby | `bundler` | File exists: `Gemfile` | +| Rust | `cargo` | File exists: `Cargo.toml` | +| Docker | `docker` | Glob: `Dockerfile` or `*.dockerfile` or `docker-compose.yml` | +| Maven | `maven` | File exists: `pom.xml` | +| Gradle | `gradle` | File exists: `build.gradle` or `build.gradle.kts` | +| Composer | `composer` | File exists: `composer.json` | +| NuGet | `nuget` | Glob: `*.csproj` or `packages.config` or `*.fsproj` | +| Helm | `helm` | File exists: `Chart.yaml` | +| Pub (Dart) | `pub` | File exists: `pubspec.yaml` | +| Swift | `swift` | File exists: `Package.swift` | +| Hex (Elixir) | `hex` | File exists: `mix.exs` | From c6be1a8d1afc9089486c9ffc3b33a2044fca8730 Mon Sep 17 00:00:00 2001 From: vnz <1267662+vnz@users.noreply.github.com> Date: Mon, 26 Jan 2026 16:38:57 +0100 Subject: [PATCH 2/5] docs: add dependabot to README and document skill structure in CLAUDE.md - Add dependabot plugin to Available Plugins table - Add install command example - Document recommended skill subdirectory structure in CLAUDE.md Co-Authored-By: Claude Opus 4.5 --- CLAUDE.md | 14 ++++++++++++++ README.md | 2 ++ 2 files changed, 16 insertions(+) diff --git a/CLAUDE.md b/CLAUDE.md index ed38a37..4cddfe5 100644 --- a/CLAUDE.md +++ b/CLAUDE.md @@ -13,6 +13,20 @@ Personal Claude Code plugin marketplace by vnz. 4. Validate: `prek run --all-files` 5. Commit and test: `/plugin install @cc-plugins-vnz` +## Skill Structure (Recommended) + +Use the subdirectory format for skills with reference files: + +``` +skills/ +└── / + ├── SKILL.md # Main skill (required) + └── references/ # Optional reference data + └── .md +``` + +This enables progressive disclosure — Claude loads SKILL.md first, then fetches reference files only when needed. + ## Development ```bash diff --git a/README.md b/README.md index 07a3478..f8f7cc9 100644 --- a/README.md +++ b/README.md @@ -23,6 +23,7 @@ Personal Claude Code plugin marketplace by vnz. |--------|-------------| | `date-context` | Injects current date/time at session start to fix web search year issues | | `terraform-ls` | Terraform language server for code intelligence (go-to-definition, hover, diagnostics) | +| `dependabot` | Check for dependency updates using Dependabot CLI with auto-detection of package managers | ## Usage @@ -30,6 +31,7 @@ After adding the marketplace, install any plugin: ```bash /plugin install date-context@cc-plugins-vnz /plugin install terraform-ls@cc-plugins-vnz +/plugin install dependabot@cc-plugins-vnz ``` ## Development From fb9f7a04522c716e5c556089e1f6a401d2f342cc Mon Sep 17 00:00:00 2001 From: vnz <1267662+vnz@users.noreply.github.com> Date: Mon, 26 Jan 2026 16:47:44 +0100 Subject: [PATCH 3/5] docs(dependabot): remove redundant CLI behavior explanations Consolidate repeated explanations: - CLI outputs JSON / doesn't modify files (was in 3 places, now 1) - --local flag purpose (was in 2 places, now 1) Keep detailed explanation in Section 4, remove duplicates elsewhere. Co-Authored-By: Claude Opus 4.5 --- plugins/dependabot/skills/dependabot/SKILL.md | 6 ------ 1 file changed, 6 deletions(-) diff --git a/plugins/dependabot/skills/dependabot/SKILL.md b/plugins/dependabot/skills/dependabot/SKILL.md index c75cca8..1a1d273 100644 --- a/plugins/dependabot/skills/dependabot/SKILL.md +++ b/plugins/dependabot/skills/dependabot/SKILL.md @@ -146,8 +146,6 @@ Based on user's choice: ``` 2. **Apply changes manually:** - The CLI doesn't modify files - you must apply the changes yourself. - From the `create_pull_request` JSON events, extract the `updated-dependency-files` array. Each entry contains: - `name` - The file path (e.g., `.github/workflows/ci.yml`) @@ -190,9 +188,5 @@ Based on user's choice: ## Important Notes - Always use `gh auth token` for authentication - never ask for tokens directly -- The CLI **outputs JSON describing changes** - it never modifies files directly -- The `--local .` flag means "use local directory as repo source" (avoids cloning from GitHub) -- Without `--local`, the CLI clones from GitHub but still doesn't modify your local files - Some ecosystems may require additional configuration (e.g., private registries) - If dependabot fails for an ecosystem, report the error and continue with others -- JSON output can be 40KB+ - grep for `create_pull_request` to find relevant data From 5294a9bb693e851904bc8a521b22882654bca639 Mon Sep 17 00:00:00 2001 From: vnz <1267662+vnz@users.noreply.github.com> Date: Mon, 26 Jan 2026 16:48:34 +0100 Subject: [PATCH 4/5] docs(dependabot): consolidate remaining redundancies - Simplify Section 5: merge update detection into compact flow - Remove duplicate ecosystem.md reference (keep one in Section 2) Co-Authored-By: Claude Opus 4.5 --- plugins/dependabot/skills/dependabot/SKILL.md | 16 ++++++---------- 1 file changed, 6 insertions(+), 10 deletions(-) diff --git a/plugins/dependabot/skills/dependabot/SKILL.md b/plugins/dependabot/skills/dependabot/SKILL.md index 1a1d273..e0fd148 100644 --- a/plugins/dependabot/skills/dependabot/SKILL.md +++ b/plugins/dependabot/skills/dependabot/SKILL.md @@ -40,11 +40,11 @@ Analyze the user's trigger phrase: - **"use dependabot for npm"** → Scan only `npm_and_yarn` ecosystem - **"use dependabot for github-actions"** or **"use dependabot for actions"** → Scan only `github_actions` ecosystem -For the complete ecosystem alias mapping and detection methods, see `references/ecosystems.md`. +See `references/ecosystems.md` for the complete alias mapping and detection methods. ## 3. Ecosystem Auto-Detection -If scanning all ecosystems, detect which are present using file existence checks. See `references/ecosystems.md` for the full detection table. +If scanning all ecosystems, detect which are present using file existence checks. Report detected ecosystems to the user before proceeding: > "Detected ecosystems: npm_and_yarn, github_actions, terraform" @@ -75,13 +75,15 @@ Where `` is the CLI ecosystem value (e.g., `npm_and_yarn`, `terraform ## 5. Parse Results from JSON Output -The CLI outputs multiple JSON objects. Look for `create_pull_request` events to find updates: +Filter the output for `create_pull_request` events — these contain the updates: ```bash -# Filter for PR creation events (these contain the updates) | grep '"type":"create_pull_request"' ``` +- ✅ **Updates found:** `create_pull_request` events in output +- ❌ **No updates:** Only `mark_as_processed` events (grep returns nothing) + Each `create_pull_request` event contains: - `dependencies[].name` - Package name - `dependencies[].previous-version` - Current version @@ -89,12 +91,6 @@ Each `create_pull_request` event contains: - `pr-title` - Suggested PR title - `updated-dependency-files[]` - The actual file changes to apply -**Determining if updates exist:** -- ✅ **Updates found:** One or more `create_pull_request` events in the output -- ❌ **No updates:** Only `mark_as_processed` events appear (no `create_pull_request`) - -This is the definitive way to check — if you grep for `create_pull_request` and get no results, that ecosystem is up-to-date. - ## 6. Present Results Summarize findings in a clear format: From c988bd1e229482d236c5e7e7c1f605137684d4b8 Mon Sep 17 00:00:00 2001 From: vnz <1267662+vnz@users.noreply.github.com> Date: Mon, 26 Jan 2026 17:33:43 +0100 Subject: [PATCH 5/5] docs(dependabot): apply optional improvements from skill review - Add trigger phrases: "upgrade dependencies", "version updates" - Tighten --local flag explanation (save ~15 words) Co-Authored-By: Claude Opus 4.5 --- plugins/dependabot/skills/dependabot/SKILL.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/plugins/dependabot/skills/dependabot/SKILL.md b/plugins/dependabot/skills/dependabot/SKILL.md index e0fd148..8dbce6f 100644 --- a/plugins/dependabot/skills/dependabot/SKILL.md +++ b/plugins/dependabot/skills/dependabot/SKILL.md @@ -1,6 +1,6 @@ --- name: dependabot -description: This skill should be used when the user asks to "check dependencies", "find outdated packages", "scan for updates", "use dependabot", "run dependabot", "check for security updates", "what needs updating", or requests dependency scanning for specific ecosystems like npm, terraform, or github-actions. Supports scanning all ecosystems or specific ones with "use dependabot for ". +description: This skill should be used when the user asks to "check dependencies", "find outdated packages", "scan for updates", "use dependabot", "run dependabot", "check for security updates", "upgrade dependencies", "version updates", "what needs updating", or requests dependency scanning for specific ecosystems like npm, terraform, or github-actions. Supports scanning all ecosystems or specific ones with "use dependabot for ". --- # Dependabot Update Skill @@ -69,7 +69,7 @@ Where `` is the CLI ecosystem value (e.g., `npm_and_yarn`, `terraform **Understanding the output:** - The CLI outputs **JSON lines** (one JSON object per line), NOT human-readable tables - The CLI **never modifies files directly** - it only outputs data describing what would change -- The `--local .` flag means "use local filesystem as source" — this prevents the CLI from cloning from GitHub and instead uses your working directory (it's NOT a "dry-run" flag) +- The `--local .` flag uses your working directory instead of cloning from GitHub (NOT a "dry-run" flag) - Output can be very large (40KB+) - it may be truncated - **Important:** Use `2>&1` to capture both stdout and stderr, as the CLI mixes log messages (stderr) with JSON output (stdout)