Merge Dependabot PRs

Merge Dependabot PRs

@description Evaluate and merge dependabot PRs with parallel builds, dependency-aware batching, and transitive dep analysis. @arguments $REPO: GitHub org/repo (e.g., trailofbits/algo). $OPTIONS: Optional flags — "--skip-config-audit" skips Phase 0 (use in batch runs where config audit is a separate pass).

Clone $REPO if not already available locally:

gh repo clone $REPO /tmp/depbot-eval-$(echo "$REPO" | tr '/' '-') -- --depth=50 2>/dev/null || \
  (cd /tmp/depbot-eval-$(echo "$REPO" | tr '/' '-') && git fetch origin)

Work from `/tmp/depbot-eval-{repo-slug}` for all subsequent phases.

Execute every phase below sequentially. Do not stop or ask for confirmation at any phase.

Turn Budget Management

If you are running as a background agent with a `max_turns` cap:

undefined

Phase 0: Dependabot Config Audit

If `$OPTIONS` includes `--skip-config-audit`, skip this entire phase and proceed to Phase 1.

Detect all package ecosystems present in the repo by checking for these indicator files:

Indicator file(s)	Ecosystem
pyproject.toml + uv.lock	uv
pyproject.toml (no uv.lock), requirements*.txt, setup.py, setup.cfg	pip
Cargo.toml	cargo
package.json	npm
go.mod	gomod
Gemfile	bundler
Dockerfile, docker-compose.yml	docker
.github/workflows/*.yml	github-actions
composer.json	composer
*.csproj, *.fsproj	nuget

Read `.github/dependabot.yml`. Verify all five conditions:

undefined

If the file is missing or any condition fails, create a corrective PR:

undefined