Skip to content

chore(ci): Add dependabot auto-triage pipeline#21318

Open
chargome wants to merge 3 commits into
developfrom
feat/dependabot-auto-triage
Open

chore(ci): Add dependabot auto-triage pipeline#21318
chargome wants to merge 3 commits into
developfrom
feat/dependabot-auto-triage

Conversation

@chargome
Copy link
Copy Markdown
Member

@chargome chargome commented Jun 3, 2026

Adds a manual-trigger (cron-ready) pipeline to keep our Dependabot backlog under control without manual intervention:

  1. Classify & auto-dismiss noise — deterministically (no LLM) flags dev/test-only alerts (dev-packages/**, and root-lockfile deps whose vulnerable version isn't prod-reachable from a published package) and auto-dismisses them with an audit table in the job summary.

  2. Fix — opens one batched PR for runtime deps and one for dev (one commit per vuln) via the /fix-security-vulnerability skill's new --ci mode. Bails to "Needs human" - entry on major/breaking bumps.

Classification is version-aware (semver-matches the advisory range against the published packages' prod closure, incl. optionalDependencies), so only genuinely user-facing vulns reach the runtime PR.

Modes (manual dispatch): dry-run (default, no writes) · dismiss-only · full.

Note: The daily schedule is committed but commented out for the test phase.

@chargome chargome self-assigned this Jun 3, 2026
@chargome chargome marked this pull request as ready for review June 3, 2026 09:31
@chargome
Copy link
Copy Markdown
Member Author

chargome commented Jun 3, 2026

bugbot run

cursor[bot]
cursor Bot reviewed Jun 3, 2026
View reviewed changes
Comment thread .agents/skills/fix-security-vulnerability/scripts/classify-alerts.mjs
@chargome
Copy link
Copy Markdown
Member Author

chargome commented Jun 3, 2026

bugbot run

cursor[bot]
cursor Bot reviewed Jun 3, 2026
View reviewed changes
Comment thread .agents/skills/fix-security-vulnerability/scripts/dismiss-noise.mjs Outdated
@chargome @claude
fix(ci): report actual dismissal count in audit
e66dce4 
Build the noise audit header from real outcomes (rows.length) instead of
the candidate count, so partial dismissal failures no longer overstate
successes. Failed alerts are listed and flagged as still open.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@chargome
Copy link
Copy Markdown
Member Author

chargome commented Jun 3, 2026

bugbot run

cursor[bot]
cursor Bot reviewed Jun 3, 2026
View reviewed changes
Copy link
Copy Markdown

@cursor cursor Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

✅ Bugbot reviewed your changes and found no new issues!

Comment @cursor review or bugbot run to trigger another review on this PR

Reviewed by Cursor Bugbot for commit e66dce4. Configure here.

@chargome chargome requested review from a team, JPeer264 and timfish June 3, 2026 12:33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cursor cursor[bot] cursor[bot] left review comments

@timfish timfish timfish approved these changes

@JPeer264 JPeer264 Awaiting requested review from JPeer264

Assignees

@chargome chargome

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@chargome @timfish