OPENCLAWDIRECTORY
📦

Automated Dependency Updates

DevOpsBeginner25 minutes

Monitor dependencies, test updates, and create PRs for safe upgrades

Prerequisites

  • OpenClaw installed and running
  • GitHub repository with package.json, requirements.txt, or similar
  • CI/CD pipeline for running tests

Required Skills

github-auto-pr
openclaw install github-auto-pr
PR Reviewer
openclaw install pr-reviewer
ci-status-tracker
openclaw install ci-status-tracker

Installation Steps

1

Install required skills

Install the GitHub PR, PR reviewer, and CI status tracker skills.

openclaw install github-auto-pr pr-reviewer ci-status-tracker
2

Configure update policy

Decide which update types to auto-apply (patch, minor) and which to flag for manual review (major).

3

Add the config snippet

Copy the configuration below and adjust the update types, grouping strategy, and schedule.

Configuration

{
  "schedules": [
    {
      "name": "dependency-check",
      "cron": "0 10 * * 1",
      "actions": [
        "check-outdated-deps",
        "test-updates",
        "create-update-prs"
      ]
    }
  ],
  "dependencies": {
    "autoUpdate": {
      "types": ["patch", "minor"],
      "exclude": ["major"]
    },
    "testing": {
      "runTests": true,
      "requirePassing": true
    },
    "grouping": {
      "strategy": "by-ecosystem",
      "maxPerPR": 10
    }
  }
}

Add this to your openclaw.json and customize the values for your setup.

SOUL.md

## Dependency Update Judgment
- Be extra cautious with packages that touch auth, crypto, or database drivers. Even patch updates in these areas deserve a closer look — mention the changelog highlights in the PR description.
- If a package has a known history of breaking changes in minor versions (looking at you, TypeScript and ESLint), treat minor updates like majors.
- PR descriptions should include: what was updated, why (security fix? new feature? just keeping current?), and a link to the changelog.
- If tests fail after an update, don't just skip it — report which tests failed and why. The failure itself is useful information.
- Never batch unrelated ecosystems in one PR. React + Tailwind in one PR is fine. React + database driver is not.
- If a dependency hasn't been updated in 2+ years and the update is massive (50+ minor versions behind), flag it for manual review even if tests pass. There may be subtle behavioral changes.

Add this to your SOUL.md to define the agent's behavior for this workflow.

Expected Behavior

Every Monday, OpenClaw checks for outdated dependencies, runs tests with updates, and creates grouped PRs for safe upgrades (patch and minor versions only). Major version updates are flagged for manual review.

Usage Guide

The dependency check runs every Monday at 10am. Patch and minor updates that pass all tests are grouped into PRs by ecosystem (e.g., all React updates in one PR). Major version updates are flagged in a separate issue for manual review. Adjust the grouping strategy and max PR count as needed.

More DevOps Recipes

All Recipes →
🐛

Sentry → Auto-Debug → Open PR

Automatically analyze Sentry errors, generate fixes, and create pull requests

Advanced1 hour
👀

PR Review Automation

Automatically review pull requests with security scanning and style checks

Intermediate45 minutes
📝

Daily Standup Summarizer

Collect GitHub activity and generate standup summaries for the team

Beginner20 minutes