Config: Add Dependency Bot PR Review Instructions to .coderabbit.yaml #93
Description
Overview
Instead of ignoring PRs opened by dependency bots (Dependabot, Renovate, etc.), CodeRabbit should be configured to perform a thorough, structured analysis of dependency update PRs. This issue tracks adding dedicated path_instructions and auto_review guidance for bot-opened PRs.
Backlink: #90 (comment) (requested by @kpj2006)
Proposed Change
Update .coderabbit.yaml to add targeted review instructions for dependency update files (e.g., package.json, requirements.txt, go.mod, pyproject.toml, etc.) so that CodeRabbit performs deep compatibility analysis when bots update dependencies.
Suggested path_instructions Addition
path_instructions:
- path: >-
**/{package.json,package-lock.json,yarn.lock,requirements.txt,Pipfile,Pipfile.lock,pyproject.toml,poetry.lock,go.mod,go.sum,Cargo.toml,Cargo.lock,pom.xml,build.gradle,*.gemspec,Gemfile,Gemfile.lock}
instructions: |
This file may be modified by a dependency bot (e.g., Dependabot, Renovate).
Perform a structured dependency upgrade analysis:
**1. Version Change Assessment**
- Identify all version bumps (major, minor, patch) and flag major/minor upgrades explicitly.
- Check the official release notes, changelog, or migration guide for each upgraded package.
**2. Breaking Change Detection**
- Breaking changes: removed or renamed APIs, changed function signatures, altered behavior.
- Deprecated APIs: warn if the codebase uses anything deprecated in the new version.
- Configuration changes: new required env vars, config keys, or file structure changes.
- Security fixes: highlight CVE patches and confirm they address known vulnerabilities.
**3. Codebase Compatibility Check**
- Locate all files in the repo that import or use the upgraded dependency.
- For each usage, verify:
- No removed or renamed imports/functions are referenced.
- Constructor/function call signatures are compatible.
- Any default behavior changes do not silently break existing logic.
**4. Risk Analysis**
- Runtime errors: type mismatches, missing attributes, changed return types.
- API incompatibility: breaking interface/type changes (critical for TypeScript).
- Logical bugs: subtle behavior changes that don't throw errors but alter outcomes.
- Performance regressions: flag if release notes mention perf impacts.
**5. Edge Cases to Verify**
- Backward compatibility with currently pinned peer dependencies.
- Changes in default behavior or environment assumptions.
- Peer requirement conflicts introduced by the new version.
- For TypeScript: type/interface changes that may require type assertion updates.
**6. Migration Guidance**
- If official docs provide migration steps, summarize the required changes and flag
specific files in this repo that need updates.
- If no migration is required, confirm this explicitly.
Conclude with a **risk level**: Low / Medium / High, with justification.Acceptance Criteria
-
.coderabbit.yamlupdated with the abovepath_instructionsblock for dependency manifests. - The instructions cover all major package managers used in AOSSIE projects (Node, Python, Go, Rust, Java, Ruby).
- The
template-sync.ymlworkflow propagates the updated config to child repos. - Verified that Dependabot/Renovate PRs trigger CodeRabbit with the enhanced instructions.
References
- CodeRabbit path-based instructions: https://docs.coderabbit.ai/guides/review-instructions
- PR where this was discussed: Add multi-repo analysis configuration guidance to CodeRabbit setup #90
Metadata
Metadata
Assignees
Labels
No labels