top | item 45433558

(no title)

m4r71n | 5 months ago

I can imagine an agentic loop that updates dependencies à la Dependabot/Renovate-style by going through the changelog of a new version, reviewing new code changes, and evaluating whether it's worth it to upgrade (or even dangerous to do so, either from stability or security point of view). Too often these tools are used to blindly respin builds with the latest and greatest versions, which is what gets most people in trouble when their NPM deps become malicious.

discuss

tinodb|5 months ago

We have a GH workflow that spins up Claude with a prompt like this and it works quite well:

—

You are going to create a summary of the important changes for a PR created by dependabot:

1. Read the body of PR $ARGUMENTS with the `gh` cmdline tool. 2. Create a todo list for yourself for each package in PLAN.md. 3. For each todo, read the releases page(s) (add /releases to the github repo url) to cover the update range. 4. Summarize breaking changes and CVE updates, see template at the end. Grouped into Dev Dependencies and Production Dependencies. 5. For production dependencies, find code usages (with `rg`/`grep`) and determine if breaking changes will affect us. Add a list of all found usages, linking to the direct line on github (like https://github.com/solarmonkey/app/blob/master/frontend/some...). Finish each with a verdict: unsure/likely OK/*may break*/*SURELY BREAKING*! 6. Fill the table up top with the verdicts 7. Write the filled out template to `deps_update_analysis.md`. Don't add a final summary or conclusive thoughts. The template is all we need.

[snip template to fill]

tptacek|5 months ago

You should write it! You might be surprised how easy it is to get something working.

m4r71n|5 months ago

Ha, well look at that, not even a day later: https://fossa.com/blog/fossabot-dependency-upgrade-ai-agent/