{"id":30240398,"url":"https://github.com/hypothesis/dependabot-batch-review","last_synced_at":"2025-08-15T04:38:28.780Z","repository":{"id":37969480,"uuid":"488982809","full_name":"hypothesis/dependabot-batch-review","owner":"hypothesis","description":"CLI tool for batch review and merge of Dependabot PRs","archived":false,"fork":false,"pushed_at":"2025-06-17T13:14:39.000Z","size":183,"stargazers_count":5,"open_issues_count":2,"forks_count":0,"subscribers_count":4,"default_branch":"main","last_synced_at":"2025-06-17T14:25:38.748Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"bsd-2-clause","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/hypothesis.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null}},"created_at":"2022-05-05T13:26:17.000Z","updated_at":"2025-06-17T13:14:43.000Z","dependencies_parsed_at":"2023-01-27T17:00:22.643Z","dependency_job_id":"b7475262-fe22-468e-8046-2cad90c5b9f7","html_url":"https://github.com/hypothesis/dependabot-batch-review","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/hypothesis/dependabot-batch-review","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/hypothesis%2Fdependabot-batch-review","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/hypothesis%2Fdependabot-batch-review/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/hypothesis%2Fdependabot-batch-review/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/hypothesis%2Fdependabot-batch-review/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/hypothesis","download_url":"https://codeload.github.com/hypothesis/dependabot-batch-review/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/hypothesis%2Fdependabot-batch-review/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":270524429,"owners_count":24600195,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-08-15T02:00:12.559Z","response_time":110,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2025-08-15T04:38:23.272Z","updated_at":"2025-08-15T04:38:28.768Z","avatar_url":"https://github.com/hypothesis.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"# depandabot-batch-review\n\nCLI tool for batch review of\n[Dependabot](https://docs.github.com/en/code-security/dependabot) PRs and\nsecurity alerts across all of a user or organization's repositories.\n\nNote: The alert-reviewing functionality is being migrated to a separate [hypothesis/dependabot-alerts](https://github.com/hypothesis/dependabot-alerts) tool.\n\n## Introduction\n\nThis tool enables efficient review of Dependabot activity across an organization\nor user account. This includes:\n\n- Reviewing and merging PRs to update dependencies\n- Reviewing security alerts\n\nIt is built on the GitHub [GraphQL API](https://docs.github.com/en/graphql).\n\n## Installation\n\n1. Install [Poetry](https://python-poetry.org)\n\n2. Clone this repository and install Python dependencies with:\n\n   ```\n   poetry install\n   ```\n\n## Authorization\n\nIn order of precedence, this tool will obtain a GitHub API token from:\n\n - The `GITHUB_TOKEN` environment variable\n - The [GitHub CLI](https://cli.github.com) if installed and logged in\n - Prompting for a token when the tool is run\n\nFor reviewing security alerts, the token must have permission to query alerts\nin the target organization/user account. For reviewing updates, this token must\nhave permission to read and merge PRs in the target organization/user account.\n\n## Reviewing security alerts\n\nTo review open security alerts for an organization, run:\n\n```sh\n./alerts.sh [organization]\n```\n\nThis will search for all open Dependabot alerts against repositories in the\norganization and list their details.\n\nIf the same alert is reported multiple times against a single repository,\nonly one instance will be shown.\n\nTo review open security alerts for repositories belonging to a user, run:\n\n```sh\n./alerts.sh --user [user]\n```\n\n### Resolving alerts\n\nTo resolve an alert, you can:\n\n1. Merge a Dependabot PR that has been created. This can be done either through\n   the GitHub UI or using this tool.\n2. Manually create a PR to update affected dependencies.\n3. Dismiss an alert if the risk to a project is low or the alert is not\n   relevant.\n4. Archive the GitHub project if it is no longer being maintained. This will\n   disable all vulnerability reports.\n5. Set up custom Dependabot alert rules on a per repository basis. This can\n   be used to fine tune which alerts are reported based on the lockfile path\n   and other criteria.\n\n   See https://docs.github.com/en/code-security/dependabot/dependabot-alert-rules/about-dependabot-alert-rules\n\n### Slack notifications\n\nIf run with the `--slack` flag, the tool will send a report of vulnerabilities\nfound to the Slack channel specified using the `SLACK_CHANNEL` environment\nvariable. An authentication token for a Slack app must be provided via the\n`SLACK_TOKEN` environment variable. You can create a Slack app at\nhttps://api.slack.com/apps.\n\n## Reviewing updates\n\nTo review Dependabot dependency update PRs for a user or organization, run:\n\n```sh\n./review.sh [organization]\n```\n\nThis will query for open PRs from Dependabot in the organization `organization`,\nwhich can also be a GitHub username. It will group the updates by package name,\nthen go through each package in alphabetical order, show a summary of the PRs\nupdating that package and prompt for an action.\n\nFor each package it will show the name, version ranges of updates and status of\ncontinuous integration checks. At this point you can then choose to review\nrelease notes for the update, merge all PRs in the group that have passed CI\nchecks, or see individual PRs in the group.\n\n```shellsession\n$ ./review.sh hypothesis\nFinding open Dependabot PRs for user or organization hypothesis…\nFound 11 PRs for 7 dependencies\n\n1 updates for dependency @babel/core:\nVersions:\n  @babel/core 7.17.9 -\u003e 7.17.10\nCheck status: 1 passed, 0 failed\n[m]erge all passing, [s]kip, [q]uit, [r]eview notes, [l]ist PR urls:\n```\n\n### Grouped updates\n\nWhen using Dependabot's [grouped\nupdates](https://github.blog/changelog/2023-06-30-grouped-version-updates-for-dependabot-public-beta/)\nfeature, this tool will treat the group name of a PR like a package name for the\npurposes of grouping PRs across repositories.\n\nIf for example you had configured a group called \"babel\" in multiple\nrepositories which matched all npm dependencies whose name matches the pattern\n\"@babel/\", then this tool would group together all the PRs that updated the\n\"babel\" group across different repositories.\n\n```shellsession\n1 updates for group babel:\nVersions:\n  @babel/preset-typescript 7.22.15 -\u003e 7.23.0\n  @babel/core 7.22.17 -\u003e 7.23.0\nChecks: 1 passed\n```\n\nIn this example, there is one PR updating a group called \"babel\", which updates\ntwo different packages.\n\n### Filtering updates\n\nThere are several options to filter PRs:\n\n- `--label \u003clabel\u003e` finds PRs with a specific label. By default Dependabot adds\n  a label for the language (eg. \"javascript\").\n- `--repo-filter \u003cpattern\u003e` finds PRs only in repositories that match a given pattern\n- `--type \u003ctype\u003e` finds PRs that update a specific type of package. Type values\n  come from the branch names of Dependabot PRs, which have the form\n  `dependabot/{package_type}/{package_name}-{version}`. For example \"pip\" or\n  \"npm_and_yarn\".\n\n### Limitations\n\nThis tool currently only fetches up to 100 PRs per run. To continue reviewing\nafter processing these, simply run the tool again.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fhypothesis%2Fdependabot-batch-review","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fhypothesis%2Fdependabot-batch-review","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fhypothesis%2Fdependabot-batch-review/lists"}