Fix Dependabot
Repair Dependabot PRs in Bun monorepos by bumping every package.json reference and regenerating bun.lock.
Overview
fix-dependabot is an agent skill for the Ship phase that completes Dependabot PRs by updating every monorepo package.json instance, running bun install, and pushing a consistent lockfile.
Install
npx skills add https://github.com/remotion-dev/remotion --skill fix-dependabotWhat is this skill?
- Seven-step flow: gh pr view, checkout, rg all package.json matches, bun install, verify, commit, return to main
- Fixes Dependabot’s single-package bump and stale bun.lock across the monorepo
- Preserves existing semver prefix style (^, ~, exact) per package when updating versions
- Uses ripgrep pattern to find all instances of the dependency at the old version
- Documented as a 7-step procedure from PR info through return to main
Adoption & trust: 302 installs on skills.sh; 49.4k GitHub stars; 2/3 security scanners passed (skills.sh audits).
What problem does it solve?
Your Dependabot PR updates one package.json but bun.lock is stale and other workspace packages still depend on the old version.
Who is it for?
Solo maintainers of Bun-based monorepos who regularly merge Dependabot bumps and hit lockfile or sibling-package drift.
Skip if: npm/yarn-only repos without bun, or cases needing full vulnerability triage beyond version alignment.
When should I use this skill?
User needs to fix a Dependabot PR by updating all monorepo instances of a dependency, running bun install, and pushing.
What do I get? / Deliverables
All monorepo references and bun.lock match the bumped version so the PR can merge with consistent installs across packages.
- Updated package.json files across the monorepo
- Regenerated bun.lock committed on the Dependabot branch
Recommended Skills
Journey fit
Dependency PR hygiene belongs in Ship when you review and merge safe updates before release, not mid-feature implementation. The workflow is PR-centric—checkout branch, align versions, verify diff, commit push—matching code review and merge prep.
How it compares
Use instead of blindly merging Dependabot when you know the monorepo has multiple package.json copies the bot did not touch.
Common Questions / FAQ
Who is fix-dependabot for?
Indie and solo developers maintaining Bun monorepos who want their agent to finish Dependabot PRs the bot left incomplete.
When should I use fix-dependabot?
During Ship (review) when a Dependabot PR is open and you need every package.json and bun.lock aligned before merge.
Is fix-dependabot safe to install?
It runs git, gh, rg, and bun install with write access to the repo—review the Security Audits panel on this page and inspect the PR diff before pushing.
SKILL.md
READMESKILL.md - Fix Dependabot
Dependabot PRs only update one `package.json` and never run `bun install`, so the `bun.lock` file is out of date and other packages in the monorepo still reference the old version. This skill fixes both problems. ## Steps 1. **Get PR info** — Use `gh pr view <number> --json headRefName,files,title,body` to identify the branch name, which dependency was bumped, and the old/new versions. 2. **Checkout the branch**: ```bash git fetch origin <branch> git checkout <branch> ``` 3. **Update all monorepo instances** — Dependabot only touches one package. Search for all other `package.json` files that reference the same dependency at the old version and update them too: ```bash rg '"<dependency>": "[~^]?<old-version>"' --glob '**/package.json' ``` Update every match to the new version. Preserve the prefix style (`^`, `~`, or exact) that each package already uses. 4. **Run `bun install`** from the repo root to regenerate `bun.lock`. 5. **Verify** — Run `git status` to confirm only `bun.lock` and the expected `package.json` files were modified. If other unexpected files changed, investigate before proceeding. 6. **Commit and push**: ```bash git add -u git commit -m "Update <dependency> to <version> across all monorepo packages" git push ``` 7. **Switch back** — Return to your previous branch (usually `main`): ```bash git checkout main ``` ## Notes - Dependabot says "Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself" — but updating the lockfile and sibling packages is the expected workflow and won't cause issues. - If the version bump is a major version (e.g. vite 5 → 6), consider whether the upgrade is appropriate or if it should be ignored. Check for breaking changes. - If `bun install` fails, the dependency version may have conflicts with other packages. In that case, close the PR and comment explaining why.