From 426abdf14908c5bdb8f403261f8b4bf480ac6d89 Mon Sep 17 00:00:00 2001 From: vnz <1267662+vnz@users.noreply.github.com> Date: Mon, 26 Jan 2026 18:47:55 +0100 Subject: [PATCH 1/2] feat(dependabot): use jq for robust JSON parsing v1.5.0 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Replace fragile grep string matching with proper jq JSON parsing for Dependabot CLI output. grep retained as fallback. Changes: - Add jq to prerequisites check (Section 1) - Update Section 5 with jq as primary parsing method - Add jq extraction example for dependency summaries - Correct JSON field paths (data.dependencies[], data["pr-title"]) - Bump version: 1.4.0 → 1.5.0 Benefits: - Handles JSON formatting/whitespace variations - Proper field extraction from nested structures - More meaningful error messages - Future-proof against CLI output changes Co-Authored-By: Claude Opus 4.5 --- .claude-plugin/marketplace.json | 2 +- plugins/dependabot/.claude-plugin/plugin.json | 2 +- plugins/dependabot/skills/dependabot/SKILL.md | 28 +++++++++++++++---- 3 files changed, 24 insertions(+), 8 deletions(-) diff --git a/.claude-plugin/marketplace.json b/.claude-plugin/marketplace.json index 67544f5..507f303 100644 --- a/.claude-plugin/marketplace.json +++ b/.claude-plugin/marketplace.json @@ -29,7 +29,7 @@ { "name": "dependabot", "description": "Check for dependency updates using Dependabot CLI with auto-detection of package managers", - "version": "1.4.0", + "version": "1.5.0", "source": "./plugins/dependabot", "category": "development", "author": { diff --git a/plugins/dependabot/.claude-plugin/plugin.json b/plugins/dependabot/.claude-plugin/plugin.json index 900e6a1..a933d9b 100644 --- a/plugins/dependabot/.claude-plugin/plugin.json +++ b/plugins/dependabot/.claude-plugin/plugin.json @@ -1,6 +1,6 @@ { "name": "dependabot", - "version": "1.4.0", + "version": "1.5.0", "description": "Check for dependency updates using Dependabot CLI with auto-detection of package managers", "license": "MIT", "author": { diff --git a/plugins/dependabot/skills/dependabot/SKILL.md b/plugins/dependabot/skills/dependabot/SKILL.md index 47cd52e..292daa7 100644 --- a/plugins/dependabot/skills/dependabot/SKILL.md +++ b/plugins/dependabot/skills/dependabot/SKILL.md @@ -20,6 +20,9 @@ command -v dependabot || echo "NOT_FOUND" # Check if gh CLI is installed (needed for authentication) command -v gh || echo "NOT_FOUND" + +# Check if jq is installed (needed for JSON parsing) +command -v jq || echo "NOT_FOUND" ``` **If dependabot CLI is not found:** @@ -31,6 +34,10 @@ command -v gh || echo "NOT_FOUND" - Inform the user: "The GitHub CLI (gh) is needed for authentication." - Suggest installation via their package manager. +**If jq is not found:** +- Inform the user: "jq is needed for parsing JSON output." +- Suggest installation via their package manager (e.g., `brew install jq`, `apt install jq`). + ## 2. Parse User Intent Analyze the user's trigger phrase: @@ -76,18 +83,27 @@ Where `` is the CLI ecosystem value (e.g., `npm_and_yarn`, `terraform Filter the output for `create_pull_request` events — these contain the updates: ```bash +# Primary method (jq) — robust JSON parsing + | jq -c 'select(.type == "create_pull_request")' + +# Fallback (grep) — if jq unavailable, less reliable | grep '"type":"create_pull_request"' ``` - ✅ **Updates found:** `create_pull_request` events in output -- ❌ **No updates:** Only `mark_as_processed` events (grep returns nothing) +- ❌ **No updates:** Only `mark_as_processed` events (jq/grep returns nothing) Each `create_pull_request` event contains: -- `dependencies[].name` - Package name -- `dependencies[].previous-version` - Current version -- `dependencies[].version` - Available version -- `pr-title` - Suggested PR title -- `updated-dependency-files[]` - The actual file changes to apply +- `data.dependencies[].name` - Package name +- `data.dependencies[].previous-version` - Current version +- `data.dependencies[].version` - Available version +- `data["pr-title"]` - Suggested PR title +- `data["updated-dependency-files"][]` - The actual file changes to apply + +**Extract dependency summary from an event:** +```bash +echo '' | jq -r '.data.dependencies[] | "\(.name): \(.["previous-version"]) → \(.version)"' +``` ## 6. Present Results From 82ead5f73ee95003ec9cd0cc86cba5ae3ff69f18 Mon Sep 17 00:00:00 2001 From: vnz <1267662+vnz@users.noreply.github.com> Date: Mon, 26 Jan 2026 18:57:53 +0100 Subject: [PATCH 2/2] docs(dependabot): apply code review feedback - Soften jq prerequisite message (recommended, not required) - Use bracket notation for previous-version field (hyphen consistency) Co-Authored-By: Claude Opus 4.5 --- plugins/dependabot/skills/dependabot/SKILL.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/plugins/dependabot/skills/dependabot/SKILL.md b/plugins/dependabot/skills/dependabot/SKILL.md index 292daa7..d824ec6 100644 --- a/plugins/dependabot/skills/dependabot/SKILL.md +++ b/plugins/dependabot/skills/dependabot/SKILL.md @@ -35,7 +35,7 @@ command -v jq || echo "NOT_FOUND" - Suggest installation via their package manager. **If jq is not found:** -- Inform the user: "jq is needed for parsing JSON output." +- Inform the user: "jq is recommended for robust JSON parsing. The skill will fall back to a less reliable method if it's not available." - Suggest installation via their package manager (e.g., `brew install jq`, `apt install jq`). ## 2. Parse User Intent @@ -95,7 +95,7 @@ Filter the output for `create_pull_request` events — these contain the updates Each `create_pull_request` event contains: - `data.dependencies[].name` - Package name -- `data.dependencies[].previous-version` - Current version +- `data.dependencies[]["previous-version"]` - Current version - `data.dependencies[].version` - Available version - `data["pr-title"]` - Suggested PR title - `data["updated-dependency-files"][]` - The actual file changes to apply