[dep-ecosystem] Dependency Report — 2026-03-01

[github-actions[bot]]

Monitored: 101 repositories | Excluded: php-swagger, swagger-php

---

Executive Summary

Metric	Count
Total open Dependabot PRs	23
Security updates pending	0
Version bumps pending	23
Stale PRs (> 14 days)	0
Repos missing dependabot.yml	5
Version inconsistencies found	0 (see notes)

All 23 open Dependabot PRs were opened on 2026-03-01 — none have exceeded the 14-day staleness threshold.

---

Language Distribution

Language	Repos	Percentage
Unknown	19	18.8%
Python	14	13.9%
MDX	10	9.9%
Rust	10	9.9%
Shell	9	8.9%
PHP	6	5.9%
TypeScript	4	4.0%
Go	2	2.0%
Java	2	2.0%
JavaScript	2	2.0%
Jupyter Notebook	2	2.0%
Ruby	2	2.0%
Other (C#, C++, CSS, Dockerfile, Elixir, HCL, HTML, Haskell, Kotlin, Lua, PLpgSQL, Scala, Svelte, Swift, TeX, Vue, Zig)	17	16.8%

---

Dependabot PR Summary

Repository	Open PRs	Security	Version Bumps	Oldest PR	Stale?
adrscope	5	0	5	2026-03-01	No
atlatl-spec	4	0	4	2026-03-01	No
atlatl	3	0	3	2026-03-01	No
rlm-rs	3	0	3	2026-03-01	No
lro-bench	2	0	2	2026-03-01	No
.github	2	0	2	2026-03-01	No
vscode-git-adr	1	0	1	2026-03-01	No
daedalus	1	0	1	2026-03-01	No
subcog	1	0	1	2026-03-01	No
github-project-manager	1	0	1	2026-03-01	No

Repositories with zero open Dependabot PRs (91 repos)

Hal, chef-composer, Bloom, rlm-rs-plugin, Rhubarb, subcog-enterprise, ApiProblem, Uuid, mnemonic, svelte-lsp, agents, git-adr, sigint, oolong-pairs, human-voice, lsp-marketplace, nsip-example, claude-team-orchestration, github-social, adr, documentation-review, python-lsp, nsip, MIF, gh, lsp-tools, structured-madr, yaml-lsp, aesth, ccpkg, auto-harness, version-guard, rust-lsp, json-lsp, maker-rs, kotlin-lsp, notebook-template, haskell-lsp, content-pipeline-template, docs-site-template, csharp-lsp, claude-plugin-template, vue-lsp, dockerfile-lsp, go-lsp, atlatl-spec (zero-PR note: this repo has 4 open PRs — see above), ruby-lsp, html-css-lsp, data-science-template, project-planning-template, farm-notebook-examples, java-lsp, typescript-template, github-agentic-workflows, tone-police, sql-lsp, lua-lsp, zig-lsp, github4farms, php-lsp, elixir-lsp, bash-lsp, python-template, rust-template, graphql-lsp, markdown-lsp, memory-benchmark-harness, typescript-lsp, devcontainer-template, swift-lsp, scala-lsp, latex-lsp, sdlc-quality, github4farms-training, java-template, nsip-plugin, gh-agentic-workflows, terraform-lsp, go-template, cpp-lsp, ghe-migration, memory-capture-plugin, IncidentAI, refactor, lro-bench (zero-PR note: this repo has 2 open PRs — see above), video-template, gh-aw-trial, prompts, github-migration, github, github-project-manager (zero-PR note: see above), video-production

---

Version Consistency Findings

Rust Ecosystem

Version consistency analysis was performed using available Dependabot PR data and public repository manifests. The following shared Cargo crates were identified across public Rust repositories:

Dependency	adrscope	rlm-rs	subcog	git-adr	nsip	maker-rs	Consistent?
serde	✅ present	✅ present	✅ present	✅ present	✅ present	✅ present	⚠️ versions unverifiable¹
tempfile	3.25.0²	✅ present	✅ present	✅ present	✅ present	—	⚠️ versions unverifiable¹
clap	✅ present	✅ present	✅ present	✅ present	✅ present	✅ present	⚠️ versions unverifiable¹

¹ Direct file content read was not available for private repositories; exact version strings could not be compared. No inconsistencies were observed in the open Dependabot PR set (all bumps target consistent versions).

² adrscope tempfile was 3.25.0 prior to the current open PR (#40) bumping it to 3.26.0.

Python Ecosystem

All repos using SHA 9198f8de for their dependabot.yml share the same pip + github-actions configuration template. Exact pyproject.toml dependency versions were not directly comparable due to API content limitations. No cross-repo Python version bump PRs are currently open.

All Python repositories are assumed version-consistent pending direct manifest inspection.

Node/TypeScript Ecosystem

atlatl has an open PR (#59) bumping jsonwebtoken from 9.3.1 → 10.3.0 (major version bump). Other TypeScript/JS repos (vscode-git-adr, typescript-lsp, typescript-template, IncidentAI) did not show shared npm dependency inconsistencies in the open PR set.

All Node/TypeScript repositories are assumed version-consistent pending direct manifest inspection.

---

Coverage Gaps

Repository	Language	Has dependabot.yml?	Configured Ecosystems	Recommended Ecosystems
IncidentAI	TypeScript	❌	—	npm, github-actions
project-planning-template	JavaScript	❌	—	npm, github-actions
gh-aw-trial	Unknown	❌	—	github-actions
gh-agentic-workflows	Unknown	❌	—	github-actions
prompts	Unknown	❌	—	github-actions
github	MDX	⚠️ subdirs only	npm, github-actions (in templates)	github-actions at root
.github	Shell	✅	github-actions	Consider adding github-actions review for reusable workflows
go-template	Go	✅	github-actions	Consider adding gomod if go.mod is present
typescript-template	TypeScript	✅	unknown (unique SHA)	Verify npm is configured

Ecosystem Configuration Summary (inferred from blob SHA groupings and code search):

SHA	Ecosystems Configured	Repos Using This Config
d6b9ee1	cargo, npm(?), github-actions	adrscope, rlm-rs, daedalus, subcog, atlatl, git-adr, lro-bench
27dd7b3	cargo, github-actions	rust-template, subcog-enterprise, nsip
9198f8d	pip, github-actions	mnemonic, agents, oolong-pairs, gh, tone-police, python-lsp, nsip-plugin, claude-plugin-template, ghe-migration, rlm-rs-plugin
31f144b	npm, github-actions	vscode-git-adr, atlatl-spec, MIF, structured-madr, ccpkg, sdlc-quality
33607ef	github-actions only	.github, github-project-manager, human-voice, refactor, adr, rlm-rs-plugin
f75e00	gomod, github-actions	go-lsp
Others	varies	see individual repos

---

Dependency Health Scores

Repository	Grade	Open PRs	Stale PRs	Coverage	Notes
adrscope	C	5	0	✅	5 open version bumps (cargo + actions)
atlatl-spec	C	4	0	✅	4 open bumps (npm + actions)
atlatl	C	3	0	✅	3 open bumps incl. jsonwebtoken major bump
rlm-rs	C	3	0	✅	3 open actions bumps
.github	B	2	0	✅	actions/cache + setup-python bumps
lro-bench	B	2	0	✅	download-artifact + adrscope action bumps
vscode-git-adr	B	1	0	✅	upload-artifact bump
daedalus	B	1	0	✅	adrscope action bump
subcog	B	1	0	✅	download-artifact bump
github-project-manager	B	1	0	✅	actions/checkout bump
IncidentAI	D	0	0	❌	Missing dependabot.yml entirely
project-planning-template	D	0	0	❌	Missing dependabot.yml; JavaScript repo unmonitored
gh-aw-trial	D	0	0	❌	Missing dependabot.yml
gh-agentic-workflows	D	0	0	❌	Missing dependabot.yml
prompts	D	0	0	❌	Missing dependabot.yml
All other repos (86)	A	0	0	✅	No open PRs, dependabot.yml present

Grade distribution: A: 86 repos | B: 5 repos | C: 4 repos | D: 5 repos | F: 0 repos

---

Recommended Actions

1. Add dependabot.yml to IncidentAI — TypeScript repo with no dependency monitoring. Recommend npm + github-actions configuration.
2. Add dependabot.yml to project-planning-template — JavaScript repo, unmonitored. Recommend npm + github-actions.
3. Review gh-aw-trial, gh-agentic-workflows, prompts — Unknown language repos missing dependabot; at minimum add github-actions monitoring if they contain workflow files.
4. Merge atlatl PR [Alert] Smart Alerts — 2026-03-02 (Run #22571173123) #59 — jsonwebtoken 9.3.1 → 10.3.0 is a major version bump that may include breaking changes; review carefully before merging.
5. Prioritize adrscope — 5 open PRs, highest backlog in the org; bulk-merge the actions bumps.
6. Root-level dependabot.yml for github repo — Currently only has configs in template subdirectories.

---

Generated by dependency-ecosystem workflow — https://github.com/zircote/.github/actions/runs/22548331240

AI generated by Dependency Ecosystem Agent

• expires on Mar 8, 2026, 5:24 PM UTC

[github-actions[bot]]

This issue has been automatically marked as stale because it has not had activity in the last 30 days. It will be closed in 30 days if no further activity occurs.

To keep this open:

• Add a comment with an update or explanation
• Remove the stale label
• Add a milestone or exempt label (pinned, security, critical)

Generated by Housekeeping: Stale Issues & PRs · ◷