fusion-dependency-review
Compare original and translation side by side
🇺🇸
Original
English🇨🇳
Translation
ChineseDependency Review
依赖PR审查
Structured review workflow for dependency update PRs. Produces consistent research notes that incorporate existing PR discussion, multi-lens analysis, and an actionable verdict with explicit maintainer confirmation before any merge action.
针对依赖更新PR的结构化审查工作流。生成一致的调研记录,整合现有PR讨论、多维度分析,以及可执行的结论,且在执行任何合并操作前需获得维护者的明确确认。
When to use
适用场景
Use this skill when a dependency PR needs review and you want a consistent, auditable decision process.
Typical triggers:
- "Review this dependency PR"
- "Should we merge this dependency update?"
- "Check this Renovate/Dependabot PR"
- "Review one of our open dependency PRs"
- "What changed in this library bump?"
- "Is this dependency update safe to merge?"
- A PR title contains dependency update patterns (for example ,
chore(deps):,fix(deps):,bump)update - The user shares a PR URL for a dependency update
当需要审查依赖PR且希望拥有一致、可审计的决策流程时,使用本技能。
典型触发场景:
- "审查这个依赖PR"
- "我们是否应该合并这次依赖更新?"
- "检查这个Renovate/Dependabot PR"
- "审查我们的某个未处理依赖PR"
- "这个库版本升级有哪些变化?"
- "这次依赖更新合并是否安全?"
- PR标题包含依赖更新相关模式(例如 、
chore(deps):、fix(deps):、bump)update - 用户分享了依赖更新PR的URL
When not to use
不适用场景
Do not use this skill for:
- Feature PRs or application code reviews (use standard code review workflows)
- Dependency automation or bot configuration
- Approving/merging without explicit user confirmation
- Deciding organizational dependency policy
请勿将本技能用于:
- 功能PR或应用代码审查(使用标准代码审查工作流)
- 依赖自动化或机器人配置
- 未获得用户明确确认的情况下批准/合并
- 制定组织级依赖政策
Required inputs
必要输入
Collect before starting the review:
- Repository owner and name
- PR number or URL for the dependency update, or a copied PR summary that includes package name, version change, changed files, and CI status
- Optional: specific review concerns or areas of focus from the maintainer
If required details are missing, ask concise clarifying questions from .
references/questions.mdIf the PR target is missing or ambiguous:
- Ask only the minimal follow-up question needed to identify the target PR.
- When repository context is known, use GitHub MCP to list likely open dependency PRs and let the user choose instead of guessing.
- Keep the shortlist concise and decision-friendly: include PR number, title, dependency/package hint, author, and CI state when available.
Auto-extract from the PR when available:
- Package(s) being updated and version range (from → to)
- Changelog/release notes URL
- CI status
- Changed files and dependency ecosystem
- Existing top-level PR comments, review comments, and unresolved thread state
开始审查前需收集:
- 代码仓库的所有者和名称
- 依赖更新的PR编号或URL,或包含包名、版本变更、修改文件及CI状态的PR摘要
- 可选:维护者提出的特定审查关注点或重点领域
若缺少必要信息,请从 中选取简洁的澄清问题询问用户。
references/questions.md若PR目标缺失或不明确:
- 仅询问识别目标PR所需的最少后续问题。
- 当已知仓库上下文时,使用GitHub MCP列出可能的未处理依赖PR,让用户选择而非猜测。
- 保持候选列表简洁且便于决策:尽可能包含PR编号、标题、依赖/包提示、作者及CI状态。
可从PR中自动提取的信息:
- 待更新的包及其版本范围(从→到)
- 更新日志/发布说明URL
- CI状态
- 修改文件及依赖生态系统
- 现有PR顶层评论、审查评论及未解决的讨论线程状态
Instructions
操作说明
Preferred advisor orchestration
推荐的协调器编排方式
When the runtime supports skill-local advisors, prefer this execution shape instead of a single long linear pass:
- Run first when the PR target is missing or ambiguous so the review starts from one explicit dependency PR.
agents/target-pr-advisor.md - Run to normalize the PR context, existing discussion, source list, and research notes.
agents/research-advisor.md - Fan out the lens advisors in parallel with the same normalized inputs:
agents/security-advisor.mdagents/code-quality-advisor.mdagents/impact-advisor.md
- Chain the combined research and lens outputs into for recommendation, confidence, handoff, and confirmation wording.
agents/verdict-advisor.md - Chain into only if the accepted next step requires PR patching, rebase, conflict resolution, or merge-readiness work.
agents/source-control-advisor.md
Keep the lens advisors narrow and independent. The parent skill owns the unified review and should preserve disagreement between advisors instead of flattening it early.
当运行时支持技能级本地协调器时,优先采用以下执行流程,而非单一的线性流程:
- 若PR目标缺失或不明确,先运行 ,确保审查从明确的单个依赖PR开始。
agents/target-pr-advisor.md - 运行 来标准化PR上下文、现有讨论、来源列表及调研记录。
agents/research-advisor.md - 以相同的标准化输入并行运行多维度协调器:
agents/security-advisor.mdagents/code-quality-advisor.mdagents/impact-advisor.md
- 将整合后的调研结果与多维度分析输出传入 ,生成建议、置信度、后续操作及确认话术。
agents/verdict-advisor.md - 仅当已接受的下一步操作需要PR补丁、变基、冲突解决或合并准备工作时,才传入 。
agents/source-control-advisor.md
保持多维度协调器的职责单一且独立。主技能负责统一审查,应保留协调器之间的分歧,而非过早抹平差异。
Workflow summary
工作流摘要
- Resolve the target PR with and the concise prompts in
agents/target-pr-advisor.md.references/questions.md - Gather context and build the shared evidence packet with ,
agents/research-advisor.md, andassets/review-tracker.md.assets/research-template.md - Run ,
agents/security-advisor.md, andagents/code-quality-advisor.mdin parallel with the same normalized research packet.agents/impact-advisor.md - Use to produce the recommendation, confidence, follow-up, and explicit maintainer prompt.
agents/verdict-advisor.md - Use only after the verdict is accepted and only when branch work is required.
agents/source-control-advisor.md - Follow for the detailed live-PR contract: target selection, checkpoint comments, decision gates, and handoff timing.
references/instructions.md
- 使用 和
agents/target-pr-advisor.md中的简洁提示确定目标PR。references/questions.md - 使用 、
agents/research-advisor.md和assets/review-tracker.md收集上下文并构建共享证据包。assets/research-template.md - 以相同的标准化调研包为输入,并行运行 、
agents/security-advisor.md和agents/code-quality-advisor.md。agents/impact-advisor.md - 使用 生成建议、置信度、后续操作及针对维护者的明确操作提示。
agents/verdict-advisor.md - 仅当结论已被接受且需要分支操作时,才使用 。
agents/source-control-advisor.md - 遵循 中的详细实时PR约定:目标选择、检查点评论、决策门限及交接时机。
references/instructions.md
Assets
资源文件
- : research-comment structure for change summary, breaking changes, known issues, and sources
assets/research-template.md - : verdict structure for lens assessments, recommendation, confidence, and follow-up items
assets/verdict-template.md - : working checklist and tracker for context, validation, lens outcomes, and handoff decisions
assets/review-tracker.md
- :用于记录变更摘要、破坏性变更、已知问题及来源的调研评论结构
assets/research-template.md - :用于记录多维度评估、建议、置信度及后续事项的结论结构
assets/verdict-template.md - :用于跟踪上下文、验证、多维度分析结果及交接决策的工作清单
assets/review-tracker.md
References
参考资料
- : detailed execution contract for target selection, live-PR checkpoints, and decision sequencing
references/instructions.md - : concise follow-up questions for choosing the target dependency PR and scoping the review
references/questions.md
- :关于目标选择、实时PR检查点及决策顺序的详细执行约定
references/instructions.md - :用于选择目标依赖PR及明确审查范围的简洁后续问题
references/questions.md
Advisors
协调器
- : resolves the exact dependency PR to review or returns a shortlist for user selection
agents/target-pr-advisor.md - : first pass; builds the shared evidence packet for all later advisors
agents/research-advisor.md - : parallel lens pass; checks security posture and attack-surface changes
agents/security-advisor.md - : parallel lens pass; checks upstream stability, regressions, and API drift
agents/code-quality-advisor.md - : parallel lens pass; checks repository blast radius, CI, and follow-up work
agents/impact-advisor.md - : chained synthesis pass; turns research and lens outputs into one decision
agents/verdict-advisor.md - : conditional final pass; handles rebase, sync, validation reruns, and push safety when patching the PR
agents/source-control-advisor.md
If helper advisors are unavailable, follow the same orchestration inline: research first, lenses next, verdict after that, and source-control last only when mutation is needed.
- :确定待审查的具体依赖PR,或返回候选列表供用户选择
agents/target-pr-advisor.md - :首次处理;为后续所有协调器构建共享证据包
agents/research-advisor.md - :并行多维度处理;检查安全态势及攻击面变化
agents/security-advisor.md - :并行多维度处理;检查上游稳定性、回归问题及API变更
agents/code-quality-advisor.md - :并行多维度处理;检查仓库影响范围、CI及后续工作
agents/impact-advisor.md - :链式合成处理;将调研及多维度分析输出整合为单一决策
agents/verdict-advisor.md - :条件性最终处理;在修补PR时处理变基、同步、验证重跑及推送安全相关事项
agents/source-control-advisor.md
若辅助协调器不可用,则按相同编排顺序内联执行:先调研,再进行多维度分析,之后生成结论,仅当需要变更时才进行源代码控制相关操作。
Expected output
预期输出
If the PR target is unresolved, return:
- A concise shortlist of candidate dependency PRs when live PR search is available
- The minimal follow-up question required to let the user choose the correct PR
- Explicit status:
Awaiting user PR selection
If the PR target is resolved, return a structured review containing:
- Package name, version change, and update type
- Existing PR discussion summary (top-level comments, review-thread themes, unresolved concerns)
- Research summary (changelog highlights, breaking changes, known issues)
- Security assessment with evidence
- Code quality assessment with evidence
- Impact assessment with evidence
- Verdict: recommendation, rationale, confidence, and follow-up items
- Handoff recommendation when follow-up work should become a tracked issue
- Explicit action prompt for the maintainer
若PR目标未确定,返回:
- 当支持实时PR搜索时,返回简洁的候选依赖PR列表
- 让用户选择正确PR所需的最少后续问题
- 明确状态:
Awaiting user PR selection
若PR目标已确定,返回包含以下内容的结构化审查结果:
- 包名、版本变更及更新类型
- 现有PR讨论摘要(顶层评论、审查讨论主题、未解决的关注点)
- 调研摘要(更新日志重点、破坏性变更、已知问题)
- 带证据的安全评估
- 带证据的代码质量评估
- 带证据的影响范围评估
- 结论:建议、理由、置信度及后续事项
- 当后续工作需转为跟踪议题时的交接建议
- 针对维护者的明确操作提示
Safety & constraints
安全与约束
Never:
- Merge or approve a dependency PR without explicit user confirmation
- Create a merge commit by merging the base branch into a Dependabot or Renovate PR branch
- Guess which PR to review when multiple plausible dependency PRs exist
- Skip the research checkpoint comment or final verdict comment on a live PR
- Ignore existing reviewer concerns because they are inconvenient or duplicative
- Claim CI passed or security is clear without checking actual status
- Expose secrets or tokens in comments or logs
- Dismiss security concerns for convenience
- Fabricate changelog entries or version details not found in sources
Always:
- Ask minimal follow-up questions when the target PR is missing or ambiguous
- Present evidence for each assessment (link to changelog, CVE, CI status)
- List candidate dependency PRs for user selection when repository context exists but the PR target does not
- Fetch existing PR comments and review threads via GitHub MCP before analysis on a live PR
- Reuse one shared research packet across advisors instead of rediscovering the same facts in each pass — this includes PR metadata, changed files, CI status, and existing discussion
- Do not re-fetch PR comments or review threads independently in each advisor; pass the pre-fetched data from the research advisor to all lens advisors
- Prefer parallel lens analysis when the runtime supports it, then chain synthesis after all lens outputs are ready
- Post the research checkpoint comment to the PR before any branch mutation on a live PR
- Post the final verdict comment to the PR before any approval or merge on a live PR
- Make branch-sync or rebase needs explicit before patching the PR
- Rebase dependency PR branches onto the latest base branch when refresh is required; do not merge the base branch into the PR branch
- Make follow-up work explicit rather than burying it in review notes
- Respect the maintainer as the final decision-maker
- Keep review output in a consistent, repeatable structure
绝对禁止:
- 在未获得用户明确确认的情况下合并或批准依赖PR
- 将基础分支合并到Dependabot或Renovate PR分支以创建合并提交
- 当存在多个合理的依赖PR时,猜测应审查哪一个
- 在实时PR上跳过调研检查点评论或最终结论评论
- 因不便或重复而忽略现有审查者的关注点
- 在未检查实际状态的情况下声称CI已通过或安全无虞
- 在评论或日志中暴露密钥或令牌
- 为图方便而忽略安全问题
- 编造未在来源中找到的更新日志条目或版本细节
必须遵守:
- 当PR目标缺失或不明确时,仅询问最少的后续问题
- 为每项评估提供证据(链接到更新日志、CVE、CI状态)
- 当已知仓库上下文但PR目标未确定时,列出候选依赖PR供用户选择
- 在分析实时PR前,通过GitHub MCP获取现有PR评论及讨论线程
- 在协调器之间复用同一个共享调研包,而非在每个协调器中重复发现相同事实——包括PR元数据、修改文件、CI状态及现有讨论
- 请勿在每个协调器中独立获取PR评论或讨论线程;将调研协调器预先获取的数据传递给所有多维度协调器
- 若运行时支持,优先采用并行多维度分析,待所有多维度分析输出完成后再进行链式合成
- 在实时PR上执行任何分支变更前,先发布调研检查点评论
- 在批准或合并实时PR前,先发布最终结论评论
- 在修补PR前明确说明分支同步或变基需求
- 当需要刷新时,将依赖PR分支变基到最新的基础分支;请勿将基础分支合并到PR分支
- 明确列出后续工作,而非将其隐藏在审查记录中
- 将维护者视为最终决策者
- 保持审查输出的结构一致且可复用