[dep-ecosystem] Dependency Report — 2026-03-22

[github-actions[bot]]

Monitored: 76 repositories | Excluded: php-swagger, swagger-php

---

Executive Summary

Metric	Count
Total open Dependabot PRs	55
Security updates pending	0
Version bumps pending	55
Stale PRs (> 14 days)	4
Repos missing dependabot.yml	1
Version inconsistencies found	1

✅ No security vulnerabilities detected across the organization this week.

---

Language Distribution

Language	Repos	Percentage
Python	10	13.2%
Rust	7	9.2%
PHP (legacy)	6	7.9%
MDX / Markdown	4	5.3%
TypeScript	2	2.6%
Ruby	2	2.6%
Shell	3	3.9%
JavaScript	1	1.3%
Go	1	1.3%
Java	1	1.3%
Other (Svelte, Elixir, Swift, TeX, Scala)	5	6.6%
No primary language / config-only	34	44.7%
Total	76	100%

Note: Many repos are Claude Code plugins, LSP integrations, and specification documents with no compiled language. Language detection uses GitHub's primary language field.

---

Dependabot PR Summary

Repository	Open PRs	Security	Version	Oldest PR	Stale?
daedalus	7	0	7	2026-03-02	⚠️ yes
adrscope	6	0	6	2026-03-16	no
lro-bench	5	0	5	2026-03-02	⚠️ yes
github-migration	5	0	5	2026-03-02	⚠️ yes
maker-rs	4	0	4	2026-03-09	no
.github	4	0	4	2026-03-09	no
atlatl-spec	3	0	3	2026-03-16	no
docs-site-template	3	0	3	2026-03-16	no
content-pipeline-template	2	0	2	2026-03-02	⚠️ yes
atlatl	2	0	2	2026-03-09	no
memory-benchmark-harness	2	0	2	2026-03-09	no
subcog	1	0	1	2026-03-16	no
ccpkg	1	0	1	2026-03-16	no
subcog-enterprise	1	0	1	2026-03-16	no
java-template	1	0	1	2026-03-16	no
notebook-template	1	0	1	2026-03-16	no
data-science-template	1	0	1	2026-03-16	no
python-template	1	0	1	2026-03-16	no
github-project-manager	1	0	1	2026-03-16	no
typescript-template	1	0	1	2026-03-16	no
rlm-rs	1	0	1	2026-03-16	no
MIF	1	0	1	2026-03-16	no
structured-madr	1	0	1	2026-03-16	no

Stale PRs requiring attention (> 14 days old):

PR	Title	Age
daedalus#15	ci: bump zircote/adrscope (SHA pin update)	20 days
lro-bench#17	ci: bump zircote/adrscope (SHA pin update)	20 days
github-migration#1	ci(deps): bump actions/attest-build-provenance from 3 to 4	20 days
content-pipeline-template#30	ci: bump actions/upload-artifact from 6.0.0 to 7.0.0	20 days

Repositories with zero open Dependabot PRs (53 repos)

mnemonic, git-adr, nsip, rust-lsp, Hal, Bloom, Rhubarb, ApiProblem, Uuid, agents, human-voice, vscode-git-adr, autoresearch, claude-spec-benchmark, homebrew-tap, go-lsp, java-lsp, typescript-lsp, refactor, oolong-pairs, python-lsp, tone-police, rust-template, rlm-rs-plugin, nsip-plugin, elixir-lsp, swift-lsp, chef-composer, sigint, nsip-example, memory-capture-plugin, lsp-marketplace, gh, svelte-lsp, scala-lsp, latex-lsp, bash-lsp, graphql-lsp, github4farms-training, lsp-marketplace, php-lsp, java-lsp, go-lsp, typescript-lsp, mnemonic, python-lsp, nsip-plugin, tone-police, scala-lsp, lsp-marketplace, swift-lsp, elixir-lsp, bash-lsp

---

Version Consistency Findings

Rust Ecosystem

Dependency	subcog	atlatl	daedalus	adrscope	Consistent?
rmcp	1.1.1	0.17.0	—	—	❌
clap	—	—	4.5.60	4.5.60	✅
tempfile	—	—	3.26.0	3.26.0	✅

⚠️ rmcp divergence detected: atlatl is running rmcp v0.17.0 while subcog is at v1.1.1 — a major version gap (1+ major versions behind). Atlatl's pending Dependabot PR (#84) targets v1.1.0 as its first step but still requires a follow-up bump to reach parity with subcog at v1.2.0. Both repos use this MCP communication library, so API compatibility divergence could cause integration issues.

Node/TypeScript Ecosystem

Dependency	atlatl-spec	docs-site-template	Consistent?
@astrojs/starlight	0.37.7	0.37.7	✅
astro	5.18.0	—	—

All Node/TypeScript repositories are otherwise version-consistent within observed shared dependencies.

GitHub Actions Ecosystem

Common actions (actions/checkout, actions/upload-artifact, actions/download-artifact, docker/*) show consistent pending target versions across all repositories — all bumping to the same latest versions. No cross-repo action version divergence detected.

---

Coverage Gaps

Repository	Language	Has dependabot.yml?	Configured Ecosystems	Recommended Ecosystems
autoresearch	Python	❌	—	pip, github-actions

All other 75 monitored repositories have a .github/dependabot.yml file present.

Ecosystem configuration patterns observed:

• Rust repos (daedalus, subcog, adrscope, atlatl, etc.): cargo + github-actions
• Node repos (atlatl-spec, docs-site-template, typescript-template): npm + github-actions
• Python repos (mnemonic, python-lsp, etc.): pip + github-actions
• Config/plugin-only repos (.github, MIF, structured-madr, ccpkg): github-actions only
• Legacy PHP repos (Hal, Bloom, Rhubarb, etc.): github-actions only (no composer configured — low priority given inactivity)

---

Dependency Health Scores

Repository	Grade	Open PRs	Stale PRs	Coverage	Notes
daedalus	D	7	1	✅	>5 open PRs; 1 stale adrscope SHA pin
adrscope	D	6	0	✅	>5 open PRs; accumulating fast
autoresearch	D	0	0	❌	Missing dependabot.yml entirely
lro-bench	C	5	1	✅	1 stale adrscope SHA pin
github-migration	C	5	1	✅	1 stale actions/attest-build-provenance
content-pipeline-template	C	2	1	✅	1 stale actions/upload-artifact
maker-rs	C	4	0	✅	Docker v3→v4 major bumps pending
.github	C	4	0	✅	actions/create-github-app-token beta→stable
atlatl-spec	C	3	0	✅	astro v5→v6 major bump pending
docs-site-template	C	3	0	✅	@astrojs/mdx major bump pending
atlatl	B	2	0	✅	rmcp v0.17→v1.1 pending; major version gap
memory-benchmark-harness	B	2	0	✅	Docker major bumps pending
subcog	B	1	0	✅	rmcp v1.1.1→v1.2.0
ccpkg	B	1	0	✅	gh-aw bump
subcog-enterprise	B	1	0	✅	taiki-e/install-action
java-template	B	1	0	✅	codeql-action
notebook-template	B	1	0	✅	astral-sh/setup-uv
data-science-template	B	1	0	✅	astral-sh/setup-uv
python-template	B	1	0	✅	astral-sh/setup-uv
github-project-manager	B	1	0	✅	gh-aw bump
typescript-template	B	1	0	✅	pnpm/action-setup
rlm-rs	B	1	0	✅	actions/download-artifact
MIF	B	1	0	✅	gh-aw bump
structured-madr	B	1	0	✅	actions/download-artifact
(52 other repos)	A	0	0	✅	No open PRs, dependabot.yml present

Grade distribution: A: 52 | B: 14 | C: 7 | D: 3 | F: 0

---

Recommendations

1. Merge stale PRs immediately — All 4 stale PRs are CI/actions bumps with no breaking changes. Priority: github-migration#1 (attest-build-provenance v3→v4) and the two adrscope SHA pin updates.
2. Resolve rmcp divergence — After merging atlatl#84 (0.17.0→1.1.0), add a follow-up bump to reach v1.2.0 parity with subcog.
3. Add dependabot.yml to autoresearch — Copy the Python template config (pip + github-actions ecosystems).
4. Triage daedalus and adrscope backlogs — Both repos have 6-7 open PRs. Consider enabling Dependabot auto-merge for low-risk patch/minor CI bumps.
5. Review astro v5→v6 major bump in atlatl-spec — Major version bump requires manual validation before merging.

---

Generated by dependency-ecosystem workflow — https://github.com/zircote/.github/actions/runs/23408198396

AI generated by Dependency Ecosystem Agent · history

• expires on Mar 29, 2026, 5:24 PM UTC