A Claude Code skill that fetches open Dependabot security alerts for a GitHub repository, then reviews and updates vulnerable dependencies.
When you run /dependabot, the skill:
- Checks which GitHub accounts are available via the
ghCLI and lets you pick one - Fetches all open Dependabot alerts for the target repository
- Reviews each alert — package name, severity, vulnerable version range, and available patch
- Updates the vulnerable dependencies using the project's package manager
- Verifies the build and tests still pass
- Reports a summary of what was fixed
/dependabot # uses the current repo's git remote
/dependabot wjgilmore my-project # targets a specific owner/repo
If you don't provide arguments, the skill infers the owner and repo from the origin git remote.
You need the GitHub CLI (gh) installed and authenticated. Your token must include the security_events scope:
gh auth login
gh auth refresh -h github.com -s security_eventsIf you have multiple gh accounts, the skill will ask which one to use before running.
The skill runs a shell script (dependabot.sh) that calls the GitHub API to fetch each Dependabot alert individually. It collects the alert number, severity, package name, ecosystem, vulnerable version range, patched version, and manifest file into a JSON array. Claude then reads that output, figures out which packages to update, runs the appropriate package manager commands, and confirms everything still builds.