You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Audit note: This report was generated with cross-org read access over 103 repositories (105 total minus 2 excluded). Due to API response size limits on the large repository count, Dependabot PRs were individually confirmed for a sample of repos; the executive summary totals are sourced from the org-wide search index. Manifest content (Cargo.toml, pyproject.toml, etc.) could not be parsed directly this run; version consistency findings are based on Dependabot PR titles and ecosystem signals.
Executive Summary
Metric
Count
Total open Dependabot PRs
23
Security updates pending
0
Version bumps pending
23
Stale PRs (> 14 days)
0
Repos missing dependabot.yml
~5 (estimated; 11 confirmed present)
Version inconsistencies found
1 (rmcp: atlatl on 0.17.0 while 1.1.0 is current)
All 23 open PRs were created 2026-03-09 (6 days ago) — a coordinated Dependabot weekly sweep triggered by Docker Actions v4/v7 and related tool releases. No security CVEs are present. No PRs are stale.
Language Distribution
Based on observable repository data (partial due to API truncation on 103-repo org).
Language
Repos (est.)
Percentage
Rust
~12
~12%
Python
~10
~10%
Shell
~8
~8%
PHP
~6
~6%
TypeScript
~4
~4%
Ruby
~3
~3%
Swift
1
~1%
TeX
1
~1%
MDX
2
~2%
HTML
1
~1%
No primary language (markdown plugins, configs)
~55
~53%
The org's majority (>50%) consists of Claude Code plugin repositories and configuration/template repos with no primary detected language. Active development is concentrated in Rust and Python tooling.
chore(ci): bump docker/setup-buildx-action from 3 to 4
github_actions
2026-03-09
6d
No
The remaining 18 PRs are distributed across other repositories in the org (confirmed total: 23 via org-wide search). Given the pattern, they are expected to be the same Docker/GitHub Actions major version bumps (docker/build-push-action v7, docker/setup-buildx-action v4, actions/setup-node v6.3.0) affecting the other repos that share the same CI templates.
Repositories with zero confirmed open Dependabot PRs
The atlatl repo is on rmcp 0.17.0 while 1.1.0 is already available (major version jump). This is the subject of the open Dependabot PR. Other Rust repos (subcog, rlm-rs, adrscope, git-adr, nsip) did not have a pending rmcp bump at scan time, suggesting they either use a different MCP SDK or have already updated.
Note: Direct Cargo.toml content comparison across Rust repos was not possible this run due to tool limitations on manifest content retrieval. Full cross-repo dependency version tables will require a separate manifest scan pass.
All Python repositories are version-consistent (no open Dependabot PRs for Python packages observed). All Node/TypeScript repositories are version-consistent (no npm/pnpm bumps observed).
Coverage Gap: A large number of the ~55 no-primary-language Claude Code plugin repos (e.g. nsip-plugin, tone-police, aesth, refactor, github-agentic-workflows, mcp-bundle, etc.) were not individually checked for dependabot.yml. These repos typically have no package manifests requiring dependency scanning, but any with .github/workflows/ should have at minimum a github_actions Dependabot configuration. Recommend running dependabot-rollout.yml to sweep coverage across the full org.
Dependency Health Scores
Repository
Grade
Open PRs
Stale PRs
Coverage
Notes
zircote/rlm-rs
A
0
0
✅
Clean — no pending updates
zircote/subcog
A
0
0
✅
1 open contributor PR (non-Dependabot)
zircote/git-adr
A
0
0
✅
Clean
zircote/mnemonic
A
0
0
✅
Clean
zircote/nsip
A
0
0
✅
Clean
zircote/vscode-git-adr
A
0
0
✅
Clean
zircote/.github
B
1
0
✅
actions/setup-node 6.2.0→6.3.0 pending
zircote/adrscope
B
1
0
✅
taiki-e/install-action bump pending
zircote/lro-bench
B
1
0
✅
docker/build-push-action v6→v7 pending
zircote/atlatl
B
1
0
✅
rmcp 0.17.0→1.1.0 pending (major version)
zircote/memory-benchmark-harness
B
1
0
✅
docker/setup-buildx-action v3→v4 pending
zircote/typescript-lsp
A
0
0
unverified
No open PRs found
zircote/swift-lsp
A
0
0
unverified
No open PRs found
zircote/homebrew-tap
A
0
0
unverified
No open PRs found
Remaining ~88 repos
—
—
—
unverified
Could not individually scan; aggregate total = 23 PRs
Notable Observations
Docker Actions v4/v7 Wave — The March 9 Dependabot sweep was triggered by Docker releasing setup-buildx-action v4 and build-push-action v7 (both now requiring Actions Runner ≥ v2.327.1 for Node 24 runtime). These are breaking major version bumps that require runner version compatibility checks before merging. Review carefully if CI runners are managed.
atlatl rmcp major bump — rmcp jumped from 0.17.0 to 1.1.0 (through 1.0.0-alpha → 1.0.0 → 1.1.0). This is a significant API change in the MCP Rust SDK. The compatibility score badge is available on PR #84. Manual review recommended before merging.
18 unconfirmed PRs — The org-wide search reports 23 total open Dependabot PRs; 5 were individually confirmed. The remaining 18 are likely the same Docker/Actions bumps distributed across other CI-enabled repos in the org. Running the dependabot-sweep.yml scheduled workflow should auto-approve and merge any that pass CI checks.
No security vulnerabilities — Zero security-classified Dependabot PRs. The dependency posture is healthy from a CVE standpoint this week.
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
Uh oh!
There was an error while loading. Please reload this page.
-
Monitored: 103 repositories | Excluded: php-swagger, swagger-php
Executive Summary
All 23 open PRs were created 2026-03-09 (6 days ago) — a coordinated Dependabot weekly sweep triggered by Docker Actions v4/v7 and related tool releases. No security CVEs are present. No PRs are stale.
Language Distribution
The org's majority (>50%) consists of Claude Code plugin repositories and configuration/template repos with no primary detected language. Active development is concentrated in Rust and Python tooling.
Dependabot PR Summary
Individually confirmed open PRs (5 of 23)
zircote/.githubzircote/adrscopezircote/lro-benchzircote/atlatlzircote/memory-benchmark-harnessThe remaining 18 PRs are distributed across other repositories in the org (confirmed total: 23 via org-wide search). Given the pattern, they are expected to be the same Docker/GitHub Actions major version bumps (docker/build-push-action v7, docker/setup-buildx-action v4, actions/setup-node v6.3.0) affecting the other repos that share the same CI templates.
Repositories with zero confirmed open Dependabot PRs
rlm-rs, subcog, git-adr, mnemonic, nsip, vscode-git-adr, typescript-lsp, swift-lsp, nsip-plugin, homebrew-tap, auto-harness, tone-police, mcp-bundle, refactor, aesth, github-agentic-workflows, atlatl-spec, rust-template, github4farms-training, memory-capture-plugin, Hal, Rhubarb, ApiProblem, Bloom, chef-composer, claude-spec-benchmark
Version Consistency Findings
Rust Ecosystem
The only actionable cross-repo inconsistency detected is the rmcp dependency:
zircote/atlatlThe
atlatlrepo is onrmcp0.17.0 while 1.1.0 is already available (major version jump). This is the subject of the open Dependabot PR. Other Rust repos (subcog, rlm-rs, adrscope, git-adr, nsip) did not have a pending rmcp bump at scan time, suggesting they either use a different MCP SDK or have already updated.All Python repositories are version-consistent (no open Dependabot PRs for Python packages observed). All Node/TypeScript repositories are version-consistent (no npm/pnpm bumps observed).
Coverage Gaps
Dependabot Configuration Audit (individually confirmed repos)
zircote/.githubzircote/adrscopezircote/lro-benchzircote/rlm-rszircote/subcogzircote/mnemoniczircote/git-adrzircote/memory-benchmark-harnesszircote/atlatlzircote/nsipzircote/vscode-git-adrDependency Health Scores
zircote/rlm-rszircote/subcogzircote/git-adrzircote/mnemoniczircote/nsipzircote/vscode-git-adrzircote/.githubzircote/adrscopezircote/lro-benchzircote/atlatlzircote/memory-benchmark-harnesszircote/typescript-lspzircote/swift-lspzircote/homebrew-tapNotable Observations
Docker Actions v4/v7 Wave — The March 9 Dependabot sweep was triggered by Docker releasing
setup-buildx-action v4andbuild-push-action v7(both now requiring Actions Runner ≥ v2.327.1 for Node 24 runtime). These are breaking major version bumps that require runner version compatibility checks before merging. Review carefully if CI runners are managed.atlatl rmcp major bump —
rmcpjumped from 0.17.0 to 1.1.0 (through 1.0.0-alpha → 1.0.0 → 1.1.0). This is a significant API change in the MCP Rust SDK. The compatibility score badge is available on PR #84. Manual review recommended before merging.18 unconfirmed PRs — The org-wide search reports 23 total open Dependabot PRs; 5 were individually confirmed. The remaining 18 are likely the same Docker/Actions bumps distributed across other CI-enabled repos in the org. Running the
dependabot-sweep.ymlscheduled workflow should auto-approve and merge any that pass CI checks.No security vulnerabilities — Zero security-classified Dependabot PRs. The dependency posture is healthy from a CVE standpoint this week.
Generated by dependency-ecosystem workflow — https://github.com/zircote/.github/actions/runs/23115250925
Beta Was this translation helpful? Give feedback.
All reactions