Add detailed instructions for dependency manifest and lock file reviews

[kpj2006]

Addressed Issues:

Fixes #93

Screenshots/Recordings:

Additional Notes:

Checklist

• My code follows the project's code style and conventions
• I have made corresponding changes to the documentation
• My changes generate no new warnings or errors
• I have joined the Discord server and I will share a link to this PR with the project maintainers there
• I have read the Contributing Guidelines

⚠️ AI Notice - Important!

We encourage contributors to use AI tools responsibly when creating Pull Requests. While AI can be a valuable aid, it is essential to ensure that your contributions meet the task requirements, build successfully, include relevant tests, and pass all linters. Submissions that do not meet these standards may be closed without warning to maintain the quality and integrity of the project. Please take the time to understand the changes you are proposing and their impact.

Summary by CodeRabbit

• Documentation

  • Adds structured guidance for reviewing dependency manifest and lockfile updates, including assessment steps, compatibility checks, risk levels, and migration notes.

• Chores

  • Expands review tooling content to explicitly handle automated dependency updates and assess potential impacts.

No direct user-facing changes; this release improves review processes and risk analysis for dependency updates.

[coderabbitai]

Warning

Ignoring CodeRabbit configuration file changes. For security, only the configuration from the base branch is applied for open source repositories.

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 863f515c-713e-4124-bbe6-5ee7eca18f8d

📥 Commits

Reviewing files that changed from the base of the PR and between 45172ee and 888aa31.

📒 Files selected for processing (1)

• .coderabbit.yaml

---

Walkthrough

Added a dependency manifest and lockfile analysis block to .coderabbit.yaml under reviews/assets, providing structured, step-by-step review instructions for dependency-bot updates across major package managers (Node, Python, Go, Rust, Java, Ruby).

Changes

Cohort / File(s)	Summary
Dependency Review Configuration /.coderabbit.yaml	Added a 43-line block under reviews/assets that defines structured dependency upgrade analysis for manifest and lock files. Introduces steps: Version Change Assessment, Breaking Change Detection, Codebase Compatibility Check, Risk Analysis, Edge Cases to Verify, and Migration Guidance; concludes with a risk level and justification.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Suggested labels

Documentation

Suggested reviewers

• Zahnentferner

Poem

🐰 I sniffed the lockfiles, sniffed them true,
Six tidy steps to guide what bots do.
I hop through versions, risks I comb,
Then leave a note to keep your build home. 🥕

🚥 Pre-merge checks | ✅ 4

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title directly describes the main change: adding detailed instructions for dependency manifest and lock file reviews to the .coderabbit.yaml configuration file.
Linked Issues check	✅ Passed	The PR successfully implements all coding requirements from issue #93: updates .coderabbit.yaml with path_instructions block covering all major package managers (Node, Python, Go, Rust, Java, Ruby) with comprehensive dependency upgrade analysis guidance including version assessment, breaking change detection, codebase compatibility checks, risk analysis, edge case verification, and migration guidance.
Out of Scope Changes check	✅ Passed	All changes are directly within scope: the PR modifies only .coderabbit.yaml to add dependency manifest and lock file review instructions as specified in issue #93, with no extraneous changes to unrelated files or functionality.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.coderabbit.yaml:
- Around line 283-285: The dependency file glob in the .coderabbit.yaml matcher
is missing several common lockfile names so some dependency-only PRs are
skipped; update the path glob (the existing path: pattern) to include
pnpm-lock.yaml, npm-shrinkwrap.json, build.gradle.kts, and gradle.lockfile (so
the dependency-analysis policy will match PRs that modify those lockfiles) while
preserving the existing entries like package.json, yarn.lock, requirements.txt,
Pipfile*, pyproject.toml, go.mod/sum, Cargo.toml/lock, pom.xml, *.gemspec,
Gemfile*, and package-lock.json.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: ed057d34-536e-4d86-9d4a-30af99cc5fec

📥 Commits

Reviewing files that changed from the base of the PR and between bcc461b and 45172ee.

📒 Files selected for processing (1)

• .coderabbit.yaml

[github-actions]

Hello 👋 This PR has had no activity for more than 2 weeks. If you are still working on it, please push an update or leave a comment. Ping a maintainer if you believe it is ready for review or merge! This PR will be automatically closed in 7 days if there is no further activity.

[kpj2006]

under review.