Review Renovate dependency upgrade PRs to assess safety and effort. Use when reviewing PRs from Renovate bot that update NPM dependencies.
Review a Renovate PR to assess the safety and effort required to merge a dependency upgrade.
pr-number (required): The PR number to review--comment (optional): Post the assessment as a PR comment. If omitted, only output the review locally.gh pr view $ARGUMENTS --json title,body,files
Extract the following information:
We assume packages follow Semantic Versioning. Fix and minor should contain no breaking changes per semver
In all cases you must:
Research breaking changes by:
https://github.com/<owner>/<repo>/releasesIdentify which breaking changes may affect this codebase
Search for usage of the upgraded package:
Create a markdown comment with the following structure:
## Dependency Upgrade Review: `<package-name>`
<!-- For High risk only, add at the top: -->
> [!CAUTION]
> Breaking changes affect this codebase. Code changes required before merge.
<!-- For Medium risk only, add at the top: -->
> [!WARNING]
> Major upgrade with breaking changes. Review recommended.
`<old>` → `<new>` (**patch** / **minor** / **major**)
**Risk:** Low / Medium / High
**Impact:** <count> files
**Recommendation:** Safe to merge / Review recommended / Changes required
<one-line explanation>
<details>
<summary>Affected files</summary>
- `path/to/file.ts`
- ...
</details>
<!-- For major upgrades only: -->
<details>
<summary>Breaking changes</summary>
- <breaking change 1>
- <breaking change 2>
</details>
<details>
<summary>Required code changes</summary>
- <change 1>
- <change 2>
<!-- Or "None" if no changes needed -->
</details>
--comment flag provided)Only post the comment to the PR if the --comment flag was included in the arguments.
If --comment is provided:
gh pr comment <pr-number> --body "<assessment>"
If --comment is NOT provided, skip this step and only display the assessment locally.
Risk:
Impact:
Recommendation: