|
| 1 | +--- |
| 2 | +name: dep-review |
| 3 | +description: > |
| 4 | + Review a Dependabot PR for breaking changes, gotchas, and required code |
| 5 | + updates. Usage: /dep-review <PR number or URL> |
| 6 | +user-invocable: true |
| 7 | +argument-hint: "<PR # or URL>" |
| 8 | +allowed-tools: |
| 9 | + - Bash |
| 10 | + - Read |
| 11 | + - Edit |
| 12 | + - Write |
| 13 | + - Glob |
| 14 | + - Grep |
| 15 | + - Agent |
| 16 | + - WebFetch |
| 17 | +--- |
| 18 | + |
| 19 | +# Dependency Update Review |
| 20 | + |
| 21 | +Review a Dependabot pull request to evaluate the dependency update for breaking |
| 22 | +changes, deprecations, and required code modifications. |
| 23 | + |
| 24 | +## Input |
| 25 | + |
| 26 | +Parse `$ARGUMENTS` for a PR reference: |
| 27 | +- `#803` or `803` — PR number |
| 28 | +- `https://github.com/code-payments/code-android-app/pull/803` — full URL (extract the number) |
| 29 | + |
| 30 | +If no argument is provided, stop and ask the user for a PR number. |
| 31 | + |
| 32 | +## Steps |
| 33 | + |
| 34 | +### Step 1 — Fetch PR details |
| 35 | + |
| 36 | +```bash |
| 37 | +gh pr view <number> --repo code-payments/code-android-app --json title,body,files,headRefName,baseRefName,diff |
| 38 | +``` |
| 39 | + |
| 40 | +Extract: |
| 41 | +- **Title** — Dependabot titles follow: `Bump <group-or-artifact> from X.Y.Z to A.B.C` |
| 42 | +- **Body** — Contains Dependabot's auto-generated release notes, changelog links, and compatibility scores |
| 43 | +- **Changed files** — Typically `gradle/libs.versions.toml` and possibly `build.gradle.kts` files |
| 44 | +- **Diff** — The actual version change |
| 45 | + |
| 46 | +If the PR is not a Dependabot PR (author is not `dependabot[bot]` or title doesn't match the pattern), warn the user but continue — they may want to review a manual dependency bump. |
| 47 | + |
| 48 | +### Step 2 — Parse the version change |
| 49 | + |
| 50 | +From the diff of `gradle/libs.versions.toml`, identify: |
| 51 | +- **Catalog key** — the version alias (e.g., `grpc = "1.68.0"` → `grpc`) |
| 52 | +- **Old version** — the version being replaced |
| 53 | +- **New version** — the version being introduced |
| 54 | +- **Affected libraries** — all `[libraries]` entries that reference this version alias |
| 55 | + |
| 56 | +If multiple versions are bumped (grouped Dependabot PR), repeat the analysis for each. |
| 57 | + |
| 58 | +Present a summary table: |
| 59 | + |
| 60 | +| Catalog Key | Library | Old Version | New Version | Bump Type | |
| 61 | +|-------------|---------|-------------|-------------|-----------| |
| 62 | +| `grpc` | `io.grpc:grpc-okhttp` | 1.68.0 | 1.69.0 | minor | |
| 63 | + |
| 64 | +**Bump type** classification: |
| 65 | +- **patch** (0.0.x) — bug fixes, lowest risk |
| 66 | +- **minor** (0.x.0) — new features, backward compatible |
| 67 | +- **major** (x.0.0) — potential breaking changes, highest risk |
| 68 | + |
| 69 | +### Step 3 — Fetch release notes / changelog |
| 70 | + |
| 71 | +For each dependency being bumped: |
| 72 | + |
| 73 | +1. Check the Dependabot PR body for embedded release notes and changelog links |
| 74 | +2. If the PR body contains a GitHub releases link or compare link, fetch it: |
| 75 | + ```bash |
| 76 | + gh api repos/<owner>/<repo>/releases/tags/v<new_version> --jq '.body' 2>/dev/null |
| 77 | + ``` |
| 78 | +3. If no GitHub release exists, try the changelog compare URL from the PR body using `WebFetch` |
| 79 | +4. If no release notes are available, note this and proceed with extra caution |
| 80 | + |
| 81 | +Summarize the release notes, highlighting: |
| 82 | +- **Breaking changes** or migration requirements |
| 83 | +- **Deprecated APIs** that may affect the codebase |
| 84 | +- **Behavioral changes** that could silently break things |
| 85 | +- **New features** worth noting |
| 86 | + |
| 87 | +### Step 4 — Analyze codebase impact |
| 88 | + |
| 89 | +Use the `dependency-impact` agent to trace the library's usage: |
| 90 | + |
| 91 | +``` |
| 92 | +Analyze the impact of updating <library> from <old> to <new> in this project. |
| 93 | +Focus on: |
| 94 | +1. Which modules depend on this library (direct, convention plugin, transitive) |
| 95 | +2. Which specific APIs from this library are used in the codebase |
| 96 | +3. Whether any deprecated APIs flagged in the release notes are in use |
| 97 | +4. Any code that might break based on the changelog |
| 98 | +Do NOT make any code changes — research only. |
| 99 | +``` |
| 100 | + |
| 101 | +### Step 5 — Evaluate and report |
| 102 | + |
| 103 | +Compile findings into a structured assessment: |
| 104 | + |
| 105 | +--- |
| 106 | + |
| 107 | +## Dependency Update Assessment |
| 108 | + |
| 109 | +### Overview |
| 110 | +| Field | Value | |
| 111 | +|-------|-------| |
| 112 | +| PR | #NNN | |
| 113 | +| Library | `group:artifact` | |
| 114 | +| Version | `X.Y.Z` → `A.B.C` | |
| 115 | +| Bump type | patch / minor / major | |
| 116 | +| Risk | Low / Medium / High | |
| 117 | + |
| 118 | +### Release Highlights |
| 119 | +- Key changes from release notes (bulleted) |
| 120 | + |
| 121 | +### Breaking Changes |
| 122 | +List any breaking changes from the release notes and whether they affect this project. |
| 123 | +If none, state: "No breaking changes identified." |
| 124 | + |
| 125 | +### Deprecations |
| 126 | +List any deprecated APIs that the codebase currently uses. |
| 127 | +If none, state: "No deprecated API usage found." |
| 128 | + |
| 129 | +### Behavioral Changes |
| 130 | +Note any behavioral changes that could silently affect the app. |
| 131 | +If none, state: "No behavioral changes of concern." |
| 132 | + |
| 133 | +### Affected Modules |
| 134 | +Table of modules that depend on this library. |
| 135 | + |
| 136 | +### Code Changes Required |
| 137 | +If code changes are needed: |
| 138 | +- **File**: `path/to/file.kt:NN` |
| 139 | +- **Change**: Description of what needs to change |
| 140 | +- **Reason**: Why this change is necessary |
| 141 | + |
| 142 | +If no code changes are needed, state: "No code changes required — safe to merge as-is." |
| 143 | + |
| 144 | +### Recommended Test Plan |
| 145 | +```bash |
| 146 | +./gradlew :affected:module:test |
| 147 | +``` |
| 148 | + |
| 149 | +### Verdict |
| 150 | +**APPROVE** / **APPROVE WITH CHANGES** / **INVESTIGATE FURTHER** |
| 151 | + |
| 152 | +- APPROVE — No breaking changes, no deprecated usage, safe to merge |
| 153 | +- APPROVE WITH CHANGES — Merge-safe but requires code modifications (list them) |
| 154 | +- INVESTIGATE FURTHER — Risky bump, needs manual testing or deeper review |
| 155 | + |
| 156 | +--- |
| 157 | + |
| 158 | +### Step 6 — Propose code changes (if needed) |
| 159 | + |
| 160 | +If the verdict is **APPROVE WITH CHANGES**: |
| 161 | + |
| 162 | +1. Show the user each required change with a before/after diff |
| 163 | +2. Ask the user if they want to apply the changes |
| 164 | +3. If confirmed, check out the PR branch and apply the modifications: |
| 165 | + ```bash |
| 166 | + gh pr checkout <number> |
| 167 | + ``` |
| 168 | +4. Make the code changes using Edit |
| 169 | +5. Offer to commit with: |
| 170 | + ``` |
| 171 | + fix(deps): adapt to <library> <new_version> API changes |
| 172 | + ``` |
| 173 | + |
| 174 | +## Never |
| 175 | + |
| 176 | +- Auto-merge a PR without user approval |
| 177 | +- Make code changes without showing them first |
| 178 | +- Skip the release notes check — even for patch bumps, behavioral changes happen |
| 179 | +- Dismiss a major version bump as low risk without evidence |
| 180 | +- Push changes to the PR branch without explicit user confirmation |
0 commit comments