Dependency Consolidation Process
Added: 2026-02-09 Status: Active process
Overview
Dependabot PRs are consolidated into single author-owned PRs rather than merged individually. This keeps the git history clean, ensures proper risk assessment, and follows the Zero Attribution Policy.
Process
1. Gather Open Dependabot PRs
gh pr list --state open --author "app/dependabot" --json number,title,headRefName2. Risk Assessment
Analyze each PR’s diff and categorize:
| Pattern | Risk | Action |
|---|---|---|
1.2.3 → 1.2.4 (patch) | Low | Apply |
1.2.3 → 1.3.0 (minor) | Low | Apply |
1.2.3 → 2.0.0 (major) | High | Skip |
*-ALPHA-* versions | Medium | Check Kotlin version compatibility |
*-RC* or *-beta* | Medium | Skip unless explicitly needed |
*-compat suffix | Medium | Skip, investigate purpose |
| Kotlin version-tied deps | Medium | Skip if Kotlin version unchanged |
Kotlin-tied dependencies require special attention. Libraries like kotlinx-serialization, kotlinx-datetime, and kmp-nativecoroutines are version-locked to specific Kotlin versions. Updating them without updating Kotlin will cause build failures.
3. Create Consolidated Branch
git checkout main && git pull
git checkout -b deps/consolidated-updates-<month>4. Apply Safe Updates
Edit the relevant files:
gradle/libs.versions.toml— Gradle dependency versions.github/workflows/*.yml— GitHub Actions SHA pinsapp/build.gradle.kts— If needed (Firebase BOM, etc.)
5. Test Build
JAVA_HOME=$(/usr/libexec/java_home -v 21) ./gradlew assembleDebugIf the build fails, revert the problematic update and re-test.
6. Commit and Create PR
git commit -m "deps: Consolidated dependency updates (<Month> <Year>)
Updates applied:
- <package>: <old> → <new>
Updates skipped (risky):
- <package>: <old> → <new> (reason)"
git push -u origin deps/consolidated-updates-<month>
gh pr create --title "deps: Consolidated dependency updates (<Month> <Year>)"7. Close Dependabot PRs
After the consolidated PR is created, close all original Dependabot PRs with a reference:
for pr in <list>; do
gh pr close $pr --comment "Superseded by #<new PR> - Consolidated dependency update."
doneCommon Risky Updates
Kotlin Version Bumps
Kotlin minor version bumps (e.g., 2.2.x → 2.3.x) are high risk because:
- KSP version must match (
ksp = "2.2.21-2.0.4"won’t work with Kotlin 2.3.x) - Kotlin-tied libraries may need simultaneous updates
- Compose compiler compatibility may change
Approach: Plan Kotlin upgrades as dedicated work items, not dependency consolidation.
GitHub Actions SHA Pins
Actions pinned by SHA (e.g., uses: owner/action@abc123) require checking the new SHA against the action’s releases to understand what changed. Prefer updating to the latest release tag’s SHA.
Firebase BOM
Firebase BOM minor bumps are generally safe. The BOM manages transitive dependency versions, so individual Firebase library versions don’t need manual tracking.
Frequency
Consolidation runs roughly monthly, or when Dependabot PR count exceeds 5. The /consolidate-dependabot skill automates most of this process.
Related Documentation
- Gradle Version Catalog & BOM Management - Gradle dependency management
- Firebase KTX Deprecation - Firebase-specific dependency notes
- CD Operations Index - CI/CD overview
Tags: dependencies gradle maintenance process Status: Active process