Add detailed instructions for dependency manifest and lock file reviews

.coderabbit.yaml

@@ -278,3 +278,46 @@ reviews:
         - Proper @2x and @3x variants for different screen densities
         - SVG assets are optimized
         - Font files are licensed and optimized
+
+    # Dependency manifest and lock files (e.g. updated by Dependabot, Renovate)
+    - path: >-
+        **/{package.json,package-lock.json,yarn.lock,pnpm-lock.yaml,npm-shrinkwrap.json,requirements.txt,Pipfile,Pipfile.lock,pyproject.toml,poetry.lock,go.mod,go.sum,Cargo.toml,Cargo.lock,pom.xml,build.gradle,build.gradle.kts,gradle.lockfile,*.gemspec,Gemfile,Gemfile.lock}
+      instructions: |
+        This file may be modified by a dependency bot (e.g., Dependabot, Renovate).
+        Perform a structured dependency upgrade analysis:
+
+        **1. Version Change Assessment**
+        - Identify all version bumps (major, minor, patch) and flag major/minor upgrades explicitly.
+        - Check the official release notes, changelog, or migration guide for each upgraded package.
+
+        **2. Breaking Change Detection**
+        - Breaking changes: removed or renamed APIs, changed function signatures, altered behavior.
+        - Deprecated APIs: warn if the codebase uses anything deprecated in the new version.
+        - Configuration changes: new required env vars, config keys, or file structure changes.
+        - Security fixes: highlight CVE patches and confirm they address known vulnerabilities.
+
+        **3. Codebase Compatibility Check**
+        - Locate all files in the repo that import or use the upgraded dependency.
+        - For each usage, verify:
+          - No removed or renamed imports/functions are referenced.
+          - Constructor/function call signatures are compatible.
+          - Any default behavior changes do not silently break existing logic.
+
+        **4. Risk Analysis**
+        - Runtime errors: type mismatches, missing attributes, changed return types.
+        - API incompatibility: breaking interface/type changes (critical for TypeScript).
+        - Logical bugs: subtle behavior changes that don't throw errors but alter outcomes.
+        - Performance regressions: flag if release notes mention perf impacts.
+
+        **5. Edge Cases to Verify**
+        - Backward compatibility with currently pinned peer dependencies.
+        - Changes in default behavior or environment assumptions.
+        - Peer requirement conflicts introduced by the new version.
+        - For TypeScript: type/interface changes that may require type assertion updates.
+
+        **6. Migration Guidance**
+        - If official docs provide migration steps, summarize the required changes and flag
+          specific files in this repo that need updates.
+        - If no migration is required, confirm this explicitly.
+
+        Conclude with a **risk level**: Low / Medium / High, with justification.