Installing Renovate adds an npm package to the selected project environment; pin the reviewed version and avoid global installs for review work., Renovate can update dependency manifests and lockfiles; review generated diffs before approving automerge or grouped updates., Major upgrades, runtime dependencies, toolchain changes, and lockfile churn should be treated as release-blocking until tests and smoke checks pass., The source ZIP is external and version-pinned for reference; package trust should remain a maintainer decision.
Privacy notes
Dependency metadata can reveal package names, repository layout, branch names, internal registry hosts, and release cadence., Keep public review notes focused on package names, versions, config keys, and test results; omit operational details that do not need to be public.
Current risk score 16/100. Use staged verification before broader rollout.
Risk 16
Pre-adoption checks
Validate source and review signals before any execution.
Confirm source provenanceRequired
Source URL/provenance metadata is present.
Done
Confirm metadata review state
Listing has review metadata.
Done
Verify install payload
Install/config payload exists and can be inspected.
Done
Security checks
Confirm safety, privacy, and package integrity signals.
Review safety notesRequired
Safety notes are present.
Done
Review privacy notesRequired
Privacy notes are present.
Done
Verify package integrity metadata
No package verification/checksum metadata.
Pending
Rollout
Adopt in controlled steps based on the selected plan.
Run in isolated sandbox firstRequired
Use a constrained sandbox and observe behavior across multiple tasks.
Pending
Roll out graduallyRequired
Roll out to a small cohort before wider usage.
Pending
Set monitoring and fallback
Define rollback path and monitor errors after adoption.
Pending
Evidence readiness
Evidence readiness matrix · balanced
Required evidence gates are covered (5/6 signals complete).
Risk 15
Source provenance
Present
Source repository/provenance is listed.
Required in this preset
Metadata review
Present
Review metadata is present.
Required in this preset
Safety notes
Present
Safety notes are present.
Required in this preset
Privacy notes
Present
Privacy notes are present.
Optional in this preset
Package integrity
Missing
Package integrity metadata is missing.
Optional in this preset
Install payload
Present
Install payload is available.
Required in this preset
Required evidence gates are covered for this preset.
Decision timeline
Decision timeline · balanced
5/6 steps complete with no blocking gaps for this preset.
Risk 14
triage
Confirm source provenanceRequired
Source/provenance metadata is available.
Done
triage
Check metadata review statusRequired
Review metadata is available.
Done
verify
Review safety notesRequired
Safety notes are available.
Done
verify
Review privacy notes
Privacy notes are available.
Done
verify
Validate package integrity metadata
Package integrity metadata is missing.
Pending
rollout
Verify install payload and commandsRequired
Install payload is available.
Done
No required blockers for this timeline preset.
Prerequisite readiness
Prerequisite readiness
5 prerequisites to line up before setup. Includes a review or approval gate.
0/5 ready
Configuration2Review & approval1General2
Safety & privacy surface
Safety & privacy surface
4 safety and 2 privacy notes across 3 risk areas.
3 areas
SafetyExecution & processesInstalling Renovate adds an npm package to the selected project environment; pin the reviewed version and avoid global installs for review work.
SafetyLocal filesRenovate can update dependency manifests and lockfiles; review generated diffs before approving automerge or grouped updates.
SafetyLocal filesMajor upgrades, runtime dependencies, toolchain changes, and lockfile churn should be treated as release-blocking until tests and smoke checks pass.
SafetyGeneralThe source ZIP is external and version-pinned for reference; package trust should remain a maintainer decision.
PrivacyGeneralDependency metadata can reveal package names, repository layout, branch names, internal registry hosts, and release cadence.
PrivacyGeneralKeep public review notes focused on package names, versions, config keys, and test results; omit operational details that do not need to be public.
Safety notes
Installing Renovate adds an npm package to the selected project environment; pin the reviewed version and avoid global installs for review work.
Renovate can update dependency manifests and lockfiles; review generated diffs before approving automerge or grouped updates.
Major upgrades, runtime dependencies, toolchain changes, and lockfile churn should be treated as release-blocking until tests and smoke checks pass.
The source ZIP is external and version-pinned for reference; package trust should remain a maintainer decision.
Privacy notes
Dependency metadata can reveal package names, repository layout, branch names, internal registry hosts, and release cadence.
Keep public review notes focused on package names, versions, config keys, and test results; omit operational details that do not need to be public.
Prerequisites
Renovate dependency upgrade PR, config diff, or dependency dashboard item
Dependency manifest and lockfile diff for the reviewed package manager
Renovate config source such as `renovate.json`, package config, or inherited presets
Release notes, changelog, package metadata, or source tag for the updated dependency
Project validation commands and owner policy for grouped updates or automerge
.gemini/skills/<skill-name>/SKILL.md or .agents/skills/<skill-name>/SKILL.md
cursor
Adapter
.cursor/rules/<skill-name>.mdc
cli
Manual
AGENTS.md or tool-specific context file
Full copyable content
# Trigger
"Apply the Renovate dependency upgrade review capability pack to this PR."
# Required output
1) Renovate package/source version and config inventory
2) Dependency update classification and package-rule analysis
3) Risk, lockfile, validation, and automerge findings
4) Merge, hold, split, or request-changes recommendation
About this resource
Knowledge Freshness
This capability pack is pinned to Renovate 43.210.1 package metadata, source files, and documentation verified on 2026-06-03. The reviewed npm metadata declares Node ^24.11.0 and pnpm ^10.0.0 engine requirements.
Prefer current Renovate docs, npm metadata, and pinned source files over model memory for config names, package-rule behavior, automerge behavior, and runtime requirements.
Scope Note
This is not a generic dependency update checker or a hook that scans manifests after edits. Use it for human-in-the-loop review of Renovate-driven upgrade PRs, grouped updates, package-rule behavior, dependency dashboard items, and automerge readiness.
Core Workflow
Confirm the Renovate package version, docs version, source tag, and runtime requirements used for the review.
Identify the package manager, datasource, dependency name, current version, proposed version, semver class, direct or transitive impact, and runtime or development scope.
Inspect Renovate config sources: presets, extends, package rules, schedules, grouping rules, range strategy, labels, reviewers, and automerge settings.
Classify the update as patch, minor, major, digest, lockfile-only, grouped, replacement, deprecation response, or toolchain change.
Compare release notes, changelog, package metadata, source tags, and migration notes against the project usage.
Review manifest and lockfile diffs for unexpected package additions, manager changes, registry changes, peer dependency shifts, or large transitive churn.
Build a validation plan based on package role: unit tests, integration tests, build, type check, lint, smoke test, or targeted runtime check.
Decide whether to merge, hold, split the group, disable automerge, request config changes, or escalate to a project owner.
Produce a concise review record with evidence links, config keys reviewed, risk class, validation result, and final recommendation.
Capability Scope
Renovate package/source verification
Config, preset, and package-rule review
Dependency dashboard triage
Semver and update-type classification
Grouped update and automerge review
Manifest and lockfile diff review
Test and smoke-check planning
Merge, hold, split, or request-changes decisions
Compatibility
Native
Claude Code / Claude: use as a reusable Agent Skill for Renovate PR and config review.
Codex/OpenAI workflows: use as SKILL.md-style instructions for dependency upgrade review.
Manual Adaptation
Windsurf and Gemini: adapt the workflow and output contract into their skill formats.
Cursor and Generic AGENTS files: convert the production rules and validation checklist into repository-level dependency review rules.
Required Inputs
Renovate package version or hosted Renovate context
Dependency PR URL, dashboard item, or config diff
Package manager and dependency manifest path
Lockfile diff when the package manager uses lockfiles
Renovate config source and inherited presets when available
Project validation commands and merge policy
Production Rules
Do not approve automerge when package rules, grouping, schedules, or validation requirements are unclear.
Do not treat a patch update as low risk until the package role, lockfile impact, and changelog are checked.
Split grouped updates when one package has a major, runtime, toolchain, or migration risk that obscures the rest.
Hold updates that change package managers, registries, peer dependency ranges, or runtime engines without explicit owner review.
Prefer package-specific validation over broad test commands when the dependency has a narrow blast radius.
Require stronger validation for runtime dependencies than for isolated development tooling.
Keep config changes separate from dependency updates when the config change alters future Renovate behavior.
Risk decision: patch/minor/major/toolchain/grouped/automerge class with blockers and caveats.
Validation plan: exact checks needed before merge and why each check maps to the package role.
Recommendation: merge, hold, split, request changes, or escalate with evidence.
Troubleshooting
Issue: Renovate grouped unrelated packages together
Fix: Identify the package rule or preset causing the group, then recommend splitting packages that have different runtime, major-version, or migration risk.
Issue: A minor update causes broad lockfile churn
Fix: Check package manager behavior, peer dependency changes, registry source, and transitive dependency shifts before approving the PR.
Issue: Automerge is enabled but confidence is low
Fix: Disable automerge for that package rule or update class until required tests and smoke checks are stable.
Issue: The PR has no useful release notes
Fix: Fall back to package metadata, source tags, compare views, and project usage. Mark unsupported claims as unknown rather than guessing.
Issue: The dependency dashboard is noisy
Fix: Group by package manager, runtime impact, update type, and owner. Start with blocked updates, failed automerge, and major upgrades.
Validation Checklist
Renovate version, npm metadata, source tag, and docs verified.
Dependency manager, package name, current version, and target version recorded.
Config sources and package rules reviewed.
Update type and package role classified.
Manifest and lockfile diff reviewed.
Release notes, changelog, source tag, or package metadata checked.
Grouping and automerge behavior explained.
Validation commands mapped to package risk.
Merge, hold, split, or request-changes recommendation documented.
Show that Renovate Dependency Upgrade Review Capability Pack Skill is listed on HeyClaude. Paste this Markdown into your README — it renders the badge and links back to this page.
[](https://heyclau.de/entry/skills/renovate-dependency-upgrade-review-capability-pack)
How it compares
Renovate Dependency Upgrade Review Capability Pack Skill side by side with 3 alternatives on trust, install, platform support, and disclosed safety notes — all from reviewed registry metadata.
✓Installing Renovate adds an npm package to the selected project environment; pin the reviewed version and avoid global installs for review work.
Renovate can update dependency manifests and lockfiles; review generated diffs before approving automerge or grouped updates.
Major upgrades, runtime dependencies, toolchain changes, and lockfile churn should be treated as release-blocking until tests and smoke checks pass.
The source ZIP is external and version-pinned for reference; package trust should remain a maintainer decision.
✓Installing reg-suit adds npm packages to the selected project environment; pin the reviewed package version and avoid global installs for review work.
reg-suit can publish image snapshots and HTML reports through storage plugins such as S3 or Google Cloud Storage; review destination configuration before running in shared CI.
Visual baselines can normalize accidental UI changes if accepted too casually; require owner approval for broad layout, color, text, or viewport changes.
The source ZIP is external and version-pinned for reference; package trust should remain a maintainer decision.
✓Installing Spectral adds npm packages to the selected project environment; pin the reviewed version and avoid global installs for review work.
Spectral can lint local files, globs, and remote contract URLs; review source locations before running checks in shared CI.
Ruleset changes can silently weaken future API gates; review disabled rules, severity changes, and overrides as release-impacting changes.
JavaScript rulesets and custom functions such as `.spectral.js` execute Node.js code; do not run attacker-supplied rulesets from untrusted PRs unless they have been inspected and executed in a sandboxed environment.
The source ZIP is external and version-pinned for reference; package trust should remain a maintainer decision.
✓Installing Vitest and coverage providers adds npm packages to the selected project environment; pin reviewed versions and use project-local installs.
Coverage runs execute the project test suite and can use test fixtures, network mocks, databases, or generated artifacts configured by the project.
Vitest coverage can clean the configured reports directory before a run; confirm the reports directory is disposable before enabling coverage in shared workflows.
Threshold changes can block or unblock CI; review threshold updates separately from test additions.
The source ZIP is external and version-pinned for reference; package trust should remain a maintainer decision.
Privacy notes
✓Dependency metadata can reveal package names, repository layout, branch names, internal registry hosts, and release cadence.
Keep public review notes focused on package names, versions, config keys, and test results; omit operational details that do not need to be public.
✓Rendered UI images and reports can expose environment URLs, branch names, visible UI text, test account data, and product screenshots.
Storage and notification plugins can publish report links to CI systems, pull request comments, chat tools, or cloud buckets.
Keep public review notes focused on changed components, thresholds, artifact links, and summarized findings; omit sensitive rendered content that does not need to be public.
✓OpenAPI files can reveal internal route names, hostnames, example payloads, business object names, and planned endpoints.
Lint reports can include source paths, schema paths, rule names, snippets, and examples from the reviewed contract.
Keep public review notes focused on rule IDs, contract paths, compatibility impact, and summarized examples; omit details that do not need to be public.
✓Coverage output can reveal source paths, module names, uncovered function names, branch structure, report file names, and project layout.
HTML, JSON, LCOV, and JUnit artifacts can include snippets, line ranges, and package structure from the reviewed project.
Keep public review notes focused on aggregate gaps, file groups, risk areas, and validation commands; omit sensitive implementation details that do not need to be public.
Prerequisites
Renovate dependency upgrade PR, config diff, or dependency dashboard item
Dependency manifest and lockfile diff for the reviewed package manager
Renovate config source such as `renovate.json`, package config, or inherited presets
Release notes, changelog, package metadata, or source tag for the updated dependency
UI change, pull request, or release candidate with rendered image artifacts
reg-suit configuration such as `regconfig.json`
Baseline image source, actual image directory, and generated report location
Threshold policy for accepted pixel or rate differences
OpenAPI v2, v3.0, or v3.1 contract file set
Spectral ruleset such as `.spectral.yaml` or an explicit ruleset path
Lint output, CI output, or proposed contract diff
API owner expectations for breaking changes, naming, examples, and release gates
JavaScript or TypeScript project using Vitest or evaluating a Vitest coverage gate
Test command, package manager, and `vitest.config` or Vite config
Current coverage report, changed-file context, or uncovered source inventory
Project risk areas, owner expectations, and release policy for test gaps