From 0744c2a106fc6d1a63a80be5195ff6e84dd44519 Mon Sep 17 00:00:00 2001 From: vnz <1267662+vnz@users.noreply.github.com> Date: Mon, 26 Jan 2026 11:19:47 +0100 Subject: [PATCH 1/2] docs(dependabot): improve skill clarity based on real-world usage v1.2.0 - Add 2>&1 to command example and explain stdout/stderr mixing - Make "no updates" detection more prominent with clear indicators - Add branch cleanup command for re-runs - Clarify --local flag purpose (prevents GitHub clone, not dry-run) Co-Authored-By: Claude Opus 4.5 --- .claude-plugin/marketplace.json | 2 +- plugins/dependabot/.claude-plugin/plugin.json | 2 +- plugins/dependabot/skills/dependabot.md | 14 +++++++++++--- 3 files changed, 13 insertions(+), 5 deletions(-) diff --git a/.claude-plugin/marketplace.json b/.claude-plugin/marketplace.json index d19831f..bfa89bb 100644 --- a/.claude-plugin/marketplace.json +++ b/.claude-plugin/marketplace.json @@ -29,7 +29,7 @@ { "name": "dependabot", "description": "Check for dependency updates using Dependabot CLI with auto-detection of package managers", - "version": "1.1.0", + "version": "1.2.0", "source": "./plugins/dependabot", "category": "development", "author": { diff --git a/plugins/dependabot/.claude-plugin/plugin.json b/plugins/dependabot/.claude-plugin/plugin.json index e3d9e34..6adb08e 100644 --- a/plugins/dependabot/.claude-plugin/plugin.json +++ b/plugins/dependabot/.claude-plugin/plugin.json @@ -1,6 +1,6 @@ { "name": "dependabot", - "version": "1.1.0", + "version": "1.2.0", "description": "Check for dependency updates using Dependabot CLI with auto-detection of package managers", "license": "MIT", "author": { diff --git a/plugins/dependabot/skills/dependabot.md b/plugins/dependabot/skills/dependabot.md index 6309f84..0f157a4 100644 --- a/plugins/dependabot/skills/dependabot.md +++ b/plugins/dependabot/skills/dependabot.md @@ -92,7 +92,7 @@ For each ecosystem to scan, run the Dependabot CLI: ```bash # Get the repository name dynamically REPO=$(gh repo view --json owner,name --jq '.owner.login + "/" + .name') -LOCAL_GITHUB_ACCESS_TOKEN=$(gh auth token) dependabot update "$REPO" --local . +LOCAL_GITHUB_ACCESS_TOKEN=$(gh auth token) dependabot update "$REPO" --local . 2>&1 ``` Where `` is the CLI ecosystem value (e.g., `npm_and_yarn`, `terraform`, `github_actions`). @@ -102,8 +102,9 @@ Where `` is the CLI ecosystem value (e.g., `npm_and_yarn`, `terraform **Understanding the output:** - The CLI outputs **JSON lines** (one JSON object per line), NOT human-readable tables - The CLI **never modifies files directly** - it only outputs data describing what would change -- The `--local .` flag means "use local filesystem as source" (not "dry-run") +- The `--local .` flag means "use local filesystem as source" — this prevents the CLI from cloning from GitHub and instead uses your working directory (it's NOT a "dry-run" flag) - Output can be very large (40KB+) - it may be truncated +- **Important:** Use `2>&1` to capture both stdout and stderr, as the CLI mixes log messages (stderr) with JSON output (stdout) ## 5. Parse Results from JSON Output @@ -121,7 +122,11 @@ Each `create_pull_request` event contains: - `pr-title` - Suggested PR title - `updated-dependency-files[]` - The actual file changes to apply -If no `create_pull_request` events are found, or only `mark_as_processed` appears, there are no updates. +**Determining if updates exist:** +- ✅ **Updates found:** One or more `create_pull_request` events in the output +- ❌ **No updates:** Only `mark_as_processed` events appear (no `create_pull_request`) + +This is the definitive way to check — if you grep for `create_pull_request` and get no results, that ecosystem is up-to-date. ## 6. Present Results @@ -163,6 +168,9 @@ Based on user's choice: 1. **Create a feature branch:** ```bash + # If branch already exists from a previous run, delete it first: + git branch -D dependabot/-updates 2>/dev/null || true + git checkout -b dependabot/-updates # or for combined: dependabot/all-updates ``` From 06adfd984eb586c219c88d2db1c9d3f3fea134b4 Mon Sep 17 00:00:00 2001 From: vnz <1267662+vnz@users.noreply.github.com> Date: Mon, 26 Jan 2026 15:54:52 +0100 Subject: [PATCH 2/2] fix(dependabot): address skill review findings MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - Fix Claude Code URL (.ai → .com) - Improve description with natural trigger phrases for better skill matching - Add branch sync step (checkout main && pull) before creating feature branch Co-Authored-By: Claude Opus 4.5 --- plugins/dependabot/skills/dependabot.md | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/plugins/dependabot/skills/dependabot.md b/plugins/dependabot/skills/dependabot.md index 0f157a4..f130742 100644 --- a/plugins/dependabot/skills/dependabot.md +++ b/plugins/dependabot/skills/dependabot.md @@ -1,5 +1,5 @@ --- -description: Check for dependency updates using Dependabot CLI. Trigger with "use dependabot" to scan all ecosystems or "use dependabot for " for a specific one (e.g., terraform, npm, github-actions). +description: This skill should be used when the user asks to "check dependencies", "find outdated packages", "scan for updates", "use dependabot", "run dependabot", "check for security updates", "what needs updating", or requests dependency scanning for specific ecosystems like npm, terraform, or github-actions. Supports scanning all ecosystems or specific ones with "use dependabot for ". --- # Dependabot Update Skill @@ -168,6 +168,9 @@ Based on user's choice: 1. **Create a feature branch:** ```bash + # Ensure main is up-to-date before branching + git checkout main && git pull origin main + # If branch already exists from a previous run, delete it first: git branch -D dependabot/-updates 2>/dev/null || true @@ -212,7 +215,7 @@ Based on user's choice: - [ ] Verify tests pass - [ ] Review changelog for breaking changes - 🤖 Generated with [Claude Code](https://claude.ai/claude-code)" + 🤖 Generated with [Claude Code](https://claude.com/claude-code)" ``` 5. **Return to original branch** after PR creation.