pradeepmouli/dependabit-monitor
apps/docs/skills/dependabit-monitor/SKILL.md
Documentation site for dependabit Use when: Polling a set of tracked dependencies for state changes on a schedule..
$ install --global
skillsauthnpx skillsauth add pradeepmouli/dependabit dependabit-monitorInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: May 8, 2026, 2:39 AM107.5s5 files scanned
SKILL.md
- name:
- dependabit-monitor
- description:
- Documentation site for dependabit Use when: Polling a set of tracked dependencies for state changes on a schedule..
@dependabit/monitor
Documentation site for dependabit
When to Use
Use this skill when:
- Polling a set of tracked dependencies for state changes on a schedule. → use
Monitor - Implementing a custom checker for a new access method (e.g., a proprietary API or registry). Register it with Monitor.registerChecker. → use
GitHubRepoChecker - Implementing a custom checker for a new access method (e.g., a proprietary API or registry). Register it with Monitor.registerChecker. → use
URLContentChecker - Implementing a custom checker for a new access method (e.g., a proprietary API or registry). Register it with Monitor.registerChecker. → use
OpenAPIChecker
Do NOT use when:
- You only need to check a single dependency type — instantiate the specific checker (e.g.,
GitHubRepoChecker) directly to avoid loading all built-in checkers.
API surface: 2 functions, 7 classes, 5 types
NEVER
- Concurrent update races: if two
Monitorinstances watch the same dependency and callupdateDependencyon the shared manifest file simultaneously, one write will silently overwrite the other. Serialise monitor runs or use a single sharedMonitorinstance. - ETag drift false positives: the
URLContentCheckerhashes the full HTTP response body. Dynamic content (ads, timestamps, CSP nonces) in the response will produce hash changes that are not real dependency updates. Usemonitoring.ignoreChanges: truefor URLs with high natural churn, or replace them with a more specific checker. - Clock skew:
Scheduler.shouldCheckDependencycomparesdependency.lastCheckedto wall clock time. If the system clock jumps backward (e.g., NTP correction), dependencies may be skipped until the clock catches up to the storedlastCheckedtimestamp. fetchshould throw only for unrecoverable errors (network failure, auth error). Temporary 5xx responses should be retried inside the implementation to avoid marking the dependency as errored.comparereceives the stored previous snapshot and the live current snapshot. Do not assume both snapshots were produced by the same checker version.fetchshould throw only for unrecoverable errors (network failure, auth error). Temporary 5xx responses should be retried inside the implementation to avoid marking the dependency as errored.comparereceives the stored previous snapshot and the live current snapshot. Do not assume both snapshots were produced by the same checker version.fetchshould throw only for unrecoverable errors (network failure, auth error). Temporary 5xx responses should be retried inside the implementation to avoid marking the dependency as errored.comparereceives the stored previous snapshot and the live current snapshot. Do not assume both snapshots were produced by the same checker version.
Configuration
2 configuration interfaces — see references/config.md for details.
Quick Reference
normalizer: normalizeHTML (Normalizes HTML content for consistent comparison), normalizeURL (Normalizes a URL by removing tracking parameters)
Monitor: Monitor (Orchestrates dependency checking across multiple access methods), GitHubRepoChecker (Contract for all dependency checker implementations), URLContentChecker (Contract for all dependency checker implementations), OpenAPIChecker (Contract for all dependency checker implementations), CheckResult (The outcome of a single dependency check performed by Monitor), Checker (Contract for all dependency checker implementations), DependencySnapshot (A point-in-time snapshot of a dependency's state), ChangeDetection (The result of comparing two DependencySnapshot objects)
comparator: StateComparator
severity: SeverityClassifier, Severity
scheduler: Scheduler (Scheduler for per-dependency monitoring
Determines which...)
References
Load these on demand — do NOT read all at once:
- When calling any function → read
references/functions.mdfor full signatures, parameters, and return types - When using a class → read
references/classes/for properties, methods, and inheritance - When defining typed variables or function parameters → read
references/types.md - When configuring options → read
references/config.mdfor all settings and defaults
Links
- Author: Pradeep Mouli [email protected] (https://github.com/pradeepmouli)
Related Skills
pradeepmouli/dependabit
tools
VerifiedTrustedCommunity
Use when working with dependabit (action, detector, github-client, manifest, monitor, test-utils, utils, plugins, plugin-arxiv, plugin-context7, plugin-skills).
1SKILL.mdUpdated May 8, 2026
pradeepmouli/dependabit
tools
VerifiedTrustedCommunity
dependabot for resources, related projects, and knowledge Use when working with dependency, monitoring, security, vulnerability, changelog, version-tracking, github, automation, ai.
1SKILL.mdUpdated Apr 21, 2026
pradeepmouli/dependabit-utils
tools
VerifiedTrustedCommunity
dependabot for resources, related projects, and knowledge Use when working with dependency, monitoring, security, vulnerability, changelog, version-tracking, github, automation, ai.
1SKILL.mdUpdated Apr 21, 2026
pradeepmouli/dependabit-test-utils
tools
VerifiedTrustedCommunity
dependabot for resources, related projects, and knowledge Use when working with dependency, monitoring, security, vulnerability, changelog, version-tracking, github, automation, ai.
1SKILL.mdUpdated Apr 21, 2026