matthew-a-carr/triage-dependabot
Repo-aware triage of open Dependabot PRs. Applies this repo's hard-won dependency rules (the Expo-SDK-managed lockstep set, the TS6 / Vite8 holds, dev-only security transitives, the mobile-e2e cache interaction) to recommend merge / hold / close / escalate per PR. Use when a human says "triage the dependabot PRs" or "look at dependabot PR #NNN". Conservative by default: recommends, and only merges green minor/patch PRs when explicitly asked.
84
1.17x
Quality
90%
Does it follow best practices?
Impact
100%
1.17xAverage score across 2 eval scenarios
Securityby
Advisory
Suggest reviewing before use
criteria.jsonevals/scenario-2/
{
"context": "Tests whether the agent recognises a dev-only transitive security bump as having no production runtime impact, recommends bundling it per the tech-debt plan rather than urgent firefighting, correctly contrasts the production-dependency exception, and stays recommend-only.",
"type": "weighted_checklist",
"checklist": [
{
"name": "Identifies dev-only / no prod impact",
"description": "Notes that esbuild here is a dev/build-time-only transitive (via drizzle-kit) with no production runtime impact.",
"max_score": 25
},
{
"name": "Recommends bundling per TD-005",
"description": "Recommends bundling this dev-only security bump per the tech-debt plan (TD-005) rather than firefighting it as an urgent standalone merge.",
"max_score": 25
},
{
"name": "Production-dependency exception",
"description": "States that a security advisory on a PRODUCTION runtime dependency would be the exception — prioritise it (escalate if it needs a major).",
"max_score": 25
},
{
"name": "Recommend-only, no unilateral action",
"description": "Frames the output as a recommendation and does not merge the PR without an explicit instruction.",
"max_score": 25
}
]
}