DocumentationAgent TemplatesDependency Updater Agent
Agent Templates

Dependency Updater Agent

Keep deps up to date

Dependency Updater Agent

The Dependency Updater Agent automatically keeps your project dependencies up to date. It monitors for new versions, creates update PRs, and ensures compatibility.

What It Does

  • Monitors dependencies - Tracks all packages in your project
  • Detects updates - Finds new stable versions
  • Creates PRs - Automatically opens update pull requests
  • Tests compatibility - Verifies updates don't break your code
  • Groups updates - Combines related updates into single PRs

Supported Package Managers

| Manager | Files | |---------|-------| | npm/yarn/pnpm | package.json, package-lock.json | | pip/poetry | requirements.txt, pyproject.toml | | Go modules | go.mod | | Cargo | Cargo.toml | | Maven/Gradle | pom.xml, build.gradle |

Configuration

agents:
  - name: dependency-updater
    template: dependency-updater
    triggers:
      schedule:
        - cron: "0 9 * * 1"  # Every Monday at 9am
    config:
      # Update strategy
      strategy: conservative  # aggressive, conservative, security-only

      # Version constraints
      allow_major: false
      allow_minor: true
      allow_patch: true

      # PR behavior
      max_open_prs: 5
      group_updates: true
      automerge:
        enabled: true
        only_patch: true
        require_ci: true

      # Package rules
      package_rules:
        - match: "typescript"
          allow_major: true
        - match: "@types/*"
          automerge: true
        - match: "react"
          group: "react-ecosystem"
        - match: "react-dom"
          group: "react-ecosystem"

      # Ignore packages
      ignore:
        - "legacy-package"
        - "internal-*"

Update Strategies

Conservative (Default)

  • Only patch updates auto-merge
  • Minor updates require review
  • Major updates require explicit approval

Aggressive

  • Minor updates auto-merge if CI passes
  • Major updates create PRs for review
  • Faster adoption of new features

Security Only

  • Only update packages with known vulnerabilities
  • Minimal churn, maximum security

Grouping Updates

Group related packages to reduce PR noise:

package_rules:
  - match: "eslint*"
    group: "linting"
  - match: "@testing-library/*"
    group: "testing"
  - match: "@aws-sdk/*"
    group: "aws"

This creates single PRs like:

  • "Update linting dependencies (eslint, eslint-plugin-react, ...)"
  • "Update testing dependencies (@testing-library/react, ...)"

Update PR Format

Each update PR includes:

## Dependency Updates

This PR updates the following packages:

| Package | From | To | Type |
|---------|------|----|----- |
| lodash | 4.17.20 | 4.17.21 | patch |
| axios | 0.27.0 | 0.28.0 | minor |

### Release Notes

#### lodash 4.17.21
- Fixed security vulnerability in template function
- [Full changelog](https://github.com/lodash/lodash/releases)

#### axios 0.28.0
- Added support for fetch API
- Improved TypeScript types
- [Full changelog](https://github.com/axios/axios/releases)

### Compatibility

✅ All CI checks passed
✅ No breaking changes detected
✅ Test suite passes

Automerge

Configure automerge for low-risk updates:

automerge:
  enabled: true
  conditions:
    - ci_passed
    - no_conflicts
    - patch_only  # or 'minor_allowed'
  delay: 24h  # Wait 24 hours before merging

Schedule

Set when the agent checks for updates:

triggers:
  schedule:
    # Check daily at 9am
    - cron: "0 9 * * *"

    # Or weekly on Mondays
    - cron: "0 9 * * 1"

    # Or monthly on the 1st
    - cron: "0 9 1 * *"

Handling Breaking Changes

When a major update might break your code:

  1. The agent analyzes the changelog for breaking changes
  2. It scans your code for affected patterns
  3. A detailed migration guide is included in the PR
  4. The PR is labeled "breaking-change" for review
Previous
Security Scanner Agent
Next
Accessibility Auditor Agent
BambooSnow - AI Agent Automation Platform