From 6e89c08e8264e4573a2a14304d61fd75d8f173af Mon Sep 17 00:00:00 2001
From: vnz <1267662+vnz@users.noreply.github.com>
Date: Sat, 24 Jan 2026 11:09:25 +0100
Subject: [PATCH 1/2] fix(dependabot): correct CLI behavior docs and improve
 skill instructions

Based on real-world testing, the skill had several misconceptions about
how the Dependabot CLI works:

Fixes:
- CLI outputs JSON, never modifies files directly (was incorrectly stated)
- `--local .` means "use local source" not "dry-run mode"
- Added section 5 explaining how to parse JSON output
- Clarified that changes must be applied manually via Edit tool
- Updated section 8 with correct apply workflow
- Fixed Important Notes with accurate CLI behavior

Bump version to 1.1.0

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
---
 .claude-plugin/marketplace.json               |  2 +-
 plugins/dependabot/.claude-plugin/plugin.json |  2 +-
 plugins/dependabot/README.md                  | 11 ++-
 plugins/dependabot/skills/dependabot.md       | 77 ++++++++++++-------
 4 files changed, 56 insertions(+), 36 deletions(-)

diff --git a/.claude-plugin/marketplace.json b/.claude-plugin/marketplace.json
index 358b1cc..d19831f 100644
--- a/.claude-plugin/marketplace.json
+++ b/.claude-plugin/marketplace.json
@@ -29,7 +29,7 @@
     {
       "name": "dependabot",
       "description": "Check for dependency updates using Dependabot CLI with auto-detection of package managers",
-      "version": "1.0.0",
+      "version": "1.1.0",
       "source": "./plugins/dependabot",
       "category": "development",
       "author": {
diff --git a/plugins/dependabot/.claude-plugin/plugin.json b/plugins/dependabot/.claude-plugin/plugin.json
index 065f782..e3d9e34 100644
--- a/plugins/dependabot/.claude-plugin/plugin.json
+++ b/plugins/dependabot/.claude-plugin/plugin.json
@@ -1,6 +1,6 @@
 {
   "name": "dependabot",
-  "version": "1.0.0",
+  "version": "1.1.0",
   "description": "Check for dependency updates using Dependabot CLI with auto-detection of package managers",
   "license": "MIT",
   "author": {
diff --git a/plugins/dependabot/README.md b/plugins/dependabot/README.md
index de9a36f..7054371 100644
--- a/plugins/dependabot/README.md
+++ b/plugins/dependabot/README.md
@@ -76,17 +76,16 @@ gh auth login
 
 ## How It Works
 
-The Dependabot CLI runs locally against your repository:
+The Dependabot CLI outputs JSON describing available updates (it never modifies files directly):
 
 ```bash
-# Dry-run mode (check for updates)
 LOCAL_GITHUB_ACCESS_TOKEN=$(gh auth token) dependabot update <ecosystem> <owner/repo> --local .
-
-# Apply mode (modify files)
-LOCAL_GITHUB_ACCESS_TOKEN=$(gh auth token) dependabot update <ecosystem> <owner/repo>
 ```
 
-The `--local .` flag runs in dry-run mode, showing what would be updated without making changes.
+- The `--local .` flag means "use local filesystem as source" (avoids cloning from GitHub)
+- Output is JSON lines containing `create_pull_request` events with update details
+- Claude parses the JSON and applies changes using the Edit tool
+- Output can be large (40KB+) - relevant data is in `create_pull_request` events
 
 ## Links
 
diff --git a/plugins/dependabot/skills/dependabot.md b/plugins/dependabot/skills/dependabot.md
index b4d0001..e42372e 100644
--- a/plugins/dependabot/skills/dependabot.md
+++ b/plugins/dependabot/skills/dependabot.md
@@ -87,7 +87,7 @@ If a specific ecosystem was requested but not detected:
 
 ## 4. Run Dependabot Updates
 
-For each ecosystem to scan, run the Dependabot CLI in local mode:
+For each ecosystem to scan, run the Dependabot CLI:
 
 ```bash
 # Get the repository name dynamically
@@ -99,49 +99,63 @@ Where `<ecosystem>` is the CLI ecosystem value (e.g., `npm_and_yarn`, `terraform
 
 **Run ecosystems serially** (one at a time) to avoid output confusion.
 
-**Parse the output** for:
-- Updated dependencies (look for table rows showing version changes)
-- Security updates (vulnerabilities fixed)
-- "No update needed" messages
+**Understanding the output:**
+- The CLI outputs **JSON lines** (one JSON object per line), NOT human-readable tables
+- The CLI **never modifies files directly** - it only outputs data describing what would change
+- The `--local .` flag means "use local filesystem as source" (not "dry-run")
+- Output can be very large (40KB+) - it may be truncated
 
-## 5. Present Results
+## 5. Parse Results from JSON Output
+
+The CLI outputs multiple JSON objects. Look for `create_pull_request` events to find updates:
+
+```bash
+# Filter for PR creation events (these contain the updates)
+<output> | grep '"type":"create_pull_request"'
+```
+
+Each `create_pull_request` event contains:
+- `dependencies[].name` - Package name
+- `dependencies[].previous-version` - Current version
+- `dependencies[].version` - Available version
+- `pr-title` - Suggested PR title
+- `updated-dependency-files[]` - The actual file changes to apply
+
+If no `create_pull_request` events are found, or only `mark_as_processed` appears, there are no updates.
+
+## 6. Present Results
 
 Summarize findings in a clear format:
 
 ```
 ## Dependabot Scan Results
 
-### npm_and_yarn
+### github_actions
 | Dependency | Current | Available | Type |
 |------------|---------|-----------|------|
-| lodash | 4.17.20 | 4.17.21 | security |
-| express | 4.18.0 | 4.18.2 | update |
+| actions/checkout | v4 | v6 | update |
+| extractions/setup-just | v2 | v3 | update |
 
-### terraform
+### npm_and_yarn
 No updates available.
-
-### github_actions
-| Action | Current | Available | Type |
-|--------|---------|-----------|------|
-| actions/checkout | v3 | v4 | update |
 ```
 
 If no updates are found across all ecosystems:
 > "All dependencies are up-to-date!"
 
-## 6. Offer PR Creation
+## 7. Offer PR Creation
 
 If updates were found, ask the user:
 
 > "Would you like to apply these updates and create a PR?"
 
-**If yes, ask about PR strategy:**
+**If yes, and multiple ecosystems have updates, ask about PR strategy:**
 
 > "How would you like to organize the updates?"
 > 1. **One PR per ecosystem** - Separate PRs for npm, terraform, etc.
 > 2. **Single combined PR** - All updates in one PR
 
-## 7. Apply Updates and Create PR(s)
+## 8. Apply Updates and Create PR(s)
 
 Based on user's choice:
 
@@ -153,16 +167,21 @@ Based on user's choice:
    # or for combined: dependabot/all-updates
    ```
 
-2. **Run dependabot update without --local** to apply changes:
-   ```bash
-   REPO=$(gh repo view --json owner,name --jq '.owner.login + "/" + .name')
-   LOCAL_GITHUB_ACCESS_TOKEN=$(gh auth token) dependabot update <ecosystem> "$REPO"
-   ```
-   Note: The non-local mode modifies files in place.
+2. **Apply changes manually:**
+   The CLI doesn't modify files - you must apply the changes yourself.
+
+   From the `create_pull_request` JSON events, extract the `updated-dependency-files` array.
+   Each entry contains:
+   - `name` - The file path (e.g., `.github/workflows/ci.yml`)
+   - `content` - The new file content
+   - `directory` - The directory (usually `/`)
+
+   Use the Edit tool to update each file with the new content, or apply targeted edits
+   based on the `dependencies` array showing old → new versions.
 
 3. **Stage and commit changes:**
    ```bash
-   git add -A
+   git add <modified-files>
    git commit -m "chore(deps): update <ecosystem> dependencies
 
    Updated by Dependabot CLI
@@ -178,7 +197,7 @@ Based on user's choice:
    - Dependency updates detected by Dependabot CLI
 
    ## Updates
-   <list updates here>
+   <list updates with old → new versions>
 
    ## Test plan
    - [ ] Verify build passes
@@ -193,7 +212,9 @@ Based on user's choice:
 ## Important Notes
 
 - Always use `gh auth token` for authentication - never ask for tokens directly
-- The `--local .` flag runs in dry-run mode showing what would update
-- Without `--local`, dependabot modifies files directly
+- The CLI **outputs JSON describing changes** - it never modifies files directly
+- The `--local .` flag means "use local directory as repo source" (avoids cloning from GitHub)
+- Without `--local`, the CLI clones from GitHub but still doesn't modify your local files
 - Some ecosystems may require additional configuration (e.g., private registries)
 - If dependabot fails for an ecosystem, report the error and continue with others
+- JSON output can be 40KB+ - grep for `create_pull_request` to find relevant data

From 48f3d7fb672d49667fddc2f9e619997fe094b194 Mon Sep 17 00:00:00 2001
From: vnz <1267662+vnz@users.noreply.github.com>
Date: Sat, 24 Jan 2026 11:13:54 +0100
Subject: [PATCH 2/2] fix: remove Type column from example table

The Type column (update/security) isn't directly available in the
standard JSON output, so removed it to avoid confusion.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
---
 plugins/dependabot/skills/dependabot.md | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/plugins/dependabot/skills/dependabot.md b/plugins/dependabot/skills/dependabot.md
index e42372e..6309f84 100644
--- a/plugins/dependabot/skills/dependabot.md
+++ b/plugins/dependabot/skills/dependabot.md
@@ -131,10 +131,10 @@ Summarize findings in a clear format:
 ## Dependabot Scan Results
 
 ### github_actions
-| Dependency | Current | Available | Type |
-|------------|---------|-----------|------|
-| actions/checkout | v4 | v6 | update |
-| extractions/setup-just | v2 | v3 | update |
+| Dependency | Current | Available |
+|------------|---------|-----------|
+| actions/checkout | v4 | v6 |
+| extractions/setup-just | v2 | v3 |
 
 ### npm_and_yarn
 No updates available.