bumpgen

Scans package.json and package-lock.json files to identify outdated npm dependencies by comparing current versions against the npm registry. Uses semantic versioning parsing to categorize updates as major, minor, or patch changes, enabling intelligent update prioritization. The agent maintains a registry of available versions and their release metadata to determine update eligibility and safety.

Generates complete pull requests with updated dependency versions, including modified package.json/package-lock.json files and AI-written commit messages and PR descriptions. The agent uses LLM reasoning to compose contextual PR titles and bodies that explain the update rationale, potential breaking changes, and testing recommendations. Integrates with GitHub API to create PRs directly in target repositories with proper branch management and metadata.

Configures automated update runs on schedules (daily, weekly, monthly) or triggered by events (new dependency versions, security advisories, cron jobs). The agent manages scheduling logic, handles missed runs, and can coordinate updates across multiple repositories on a schedule. Supports backoff strategies for failed runs and can notify teams of update status via webhooks or chat integrations.

Groups related dependency updates into logical batches based on semantic versioning impact, dependency relationships, and project configuration. The agent uses reasoning to decide whether to batch major version updates together or separate them, considers transitive dependency relationships, and can schedule updates across multiple PRs to avoid overwhelming CI/CD pipelines. Respects project-specific configuration for update frequency and batch size constraints.

Executes project test suites after applying dependency updates to validate compatibility before merging. The agent triggers CI/CD pipelines (GitHub Actions, etc.) and monitors test results, collecting pass/fail status and error logs. Can optionally run local test commands if CI/CD is unavailable. Integrates test results into PR status checks and can automatically revert updates that fail validation.

Manages dependency updates across multiple repositories in a monorepo or organization, coordinating updates to maintain consistency and prevent version conflicts. The agent can detect shared dependencies across repos and ensure compatible versions are used everywhere. Supports organization-wide policies for dependency versions and can enforce minimum/maximum version constraints across the entire codebase.

Integrates with vulnerability databases (npm audit, Snyk, GitHub Security Advisory) to identify security vulnerabilities in dependencies and prioritizes updates by severity. The agent analyzes vulnerability metadata (CVSS score, affected versions, exploit availability) and can flag critical vulnerabilities for immediate patching. Generates security-focused PR descriptions explaining vulnerability details and remediation steps.

Automatically fetches and parses changelog files and GitHub release notes for updated dependencies to extract relevant information about breaking changes, new features, and deprecations. The agent uses NLP to identify sections relevant to the update and includes this context in PR descriptions. Supports multiple changelog formats (CHANGELOG.md, HISTORY.md, GitHub Releases API) and can extract structured data about migration requirements.

Allows users to define custom rules for which dependencies to update, when to update them, and how to batch them. Rules can be based on dependency name patterns, version constraints, update type (major/minor/patch), or custom predicates. The agent evaluates rules against each dependency and filters the update list accordingly. Supports rule composition and priority ordering for complex filtering scenarios.

Uses LLM to generate contextual, informative commit messages and PR titles that explain the dependency update rationale, version changes, and potential impact. The agent considers update type (major/minor/patch), changelog content, vulnerability fixes, and project context to compose meaningful messages. Supports customizable message templates and can enforce commit message conventions (Conventional Commits, etc.).

Simulates dependency updates without creating PRs to analyze potential impact on the project. The agent runs dependency resolution, checks for conflicts, estimates build time changes, and can optionally run tests in a sandbox environment. Provides a detailed impact report including breaking changes, new transitive dependencies, and size/performance implications before committing to updates.