matthew-a-carr/triage-dependabot

Repo-aware triage of open Dependabot PRs. Applies this repo's hard-won dependency rules (the Expo-SDK-managed lockstep set, the TS6 / Vite8 holds, dev-only security transitives, the mobile-e2e cache interaction) to recommend merge / hold / close / escalate per PR. Use when a human says "triage the dependabot PRs" or "look at dependabot PR #NNN". Conservative by default: recommends, and only merges green minor/patch PRs when explicitly asked.

1.17x

Quality

90%

Does it follow best practices?

Impact

100%

1.17x

Average score across 2 eval scenarios

Securityby

Advisory

Suggest reviewing before use

Triage a Security Update on a Dev-Only Transitive

Name: matthew-a-carr/triage-dependabot
Rating: 84.93 (1 reviews)
Author: matthew-a-carr

Problem/Feature Description

You are triaging Dependabot PRs in a Next.js + Expo monorepo that has documented rules for how to handle dependency security updates — apply those rules rather than reacting to the advisory generically.

Open PR:

#310 — a Dependabot security update bumping esbuild to patch a moderate-severity advisory. esbuild is pulled in only as a build/test-time transitive (via drizzle-kit); it is not part of the production runtime bundle.

Output Specification

Produce a single file security_triage.md that states your recommendation for #310 with reasoning, and briefly contrasts how you would treat the same advisory if it were on a production runtime dependency instead.