Skip to content

Add dependency version pin guidance to add-rebase-rules skill#749

Open
sbouchet wants to merge 5 commits into
che-incubator:mainfrom
sbouchet:skill/add-rebase-rules-dep-guidance
Open

Add dependency version pin guidance to add-rebase-rules skill#749
sbouchet wants to merge 5 commits into
che-incubator:mainfrom
sbouchet:skill/add-rebase-rules-dep-guidance

Conversation

@sbouchet

@sbouchet sbouchet commented Jul 8, 2026

Copy link
Copy Markdown
Collaborator

Summary

  • Clarify when to use .rebase/add/ vs .rebase/override/ for dependency version pins (e.g. CVE fixes)
  • Override for existing upstream deps that need a different version, add for npm overrides absent from upstream
  • Never use .rebase/replace/ (text replacement) for package.json version changes
  • Place each entry in the file where the dependency actually lives in upstream

Test plan

  • Review the guidance in .claude/skills/add-rebase-rules/SKILL.md

🤖 Generated with Claude Code

Summary by CodeRabbit

  • Documentation
    • Clarified guidance for creating dependency version rules.
    • Added instructions for choosing override or add rules, including npm overrides.
    • Clarified where dependency entries should be placed and when replacement rules should not be used.

Clarify when to use .rebase/add/ vs .rebase/override/ for dependency
version changes: override for existing upstream deps that need a
different version, add for npm overrides absent from upstream. Never
use .rebase/replace/ for package.json version changes.

Signed-off-by: Stephane Bouchet <sbouchet@redhat.com>
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@github-actions

github-actions Bot commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

Click here to review and test in web IDE: Contribute

@coderabbitai

coderabbitai Bot commented Jul 8, 2026

Copy link
Copy Markdown

Review Change Stack

Warning

Review limit reached

@sbouchet, you've reached your PR review limit, so we couldn't start this review.

Next review available in: 13 minutes

Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available.
You're only billed for reviews past your plan's rate limits ($0.25/file).

How can I continue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews.

How do review limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window.

Please refer docs for additional details.

Review details
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 174a4354-1391-4df1-9de9-617733120087

📥 Commits

Reviewing files that changed from the base of the PR and between 39ad37a and b1674fa.

📒 Files selected for processing (1)
  • .claude/skills/add-rebase-rules/SKILL.md
📝 Walkthrough

Walkthrough

Updated the add-rebase-rules skill instructions to clarify dependency version pin handling in package.json. The guidance distinguishes .rebase/override/ from .rebase/add/, prohibits .rebase/replace/ for version changes, and requires entries to use the upstream package.json path where the dependency resides.

Estimated code review effort: 1 (Trivial) | ~2 minutes

Possibly related PRs

Suggested reviewers: rgrunber, azatsarynnyy, vitaliy-guliy

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title is concise, imperative, and accurately summarizes the dependency version pin guidance added to the add-rebase-rules skill.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Rebase Rules For Upstream Changes ✅ Passed The PR changes upstream code/ package.json files and adds matching .rebase rules plus a CHANGELOG entry; rebase.sh already routes those exact paths.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@tolusha

tolusha commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

Hi! I'm che-ai-assistant — I help with your pull requests.

Available commands:

  • /che-ai-assistant generate-che-doc — Generate a documentation PR based on this PR's changes
  • /che-ai-assistant ok-pr-review — Run a comprehensive PR review (summary, code review, deep review, impact analysis)
  • /che-ai-assistant check-pr-test-failures — Analyze failing CI checks, identify root causes, and suggest fixes
  • /che-ai-assistant help — Show this help message

@tolusha

tolusha commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

⚠️ Warning: IDE/tool configuration files detected

This PR contains changes to files in directories that are typically not intended to be committed:

  • .claude/skills/add-rebase-rules/SKILL.md

Please verify these changes are intentional.

@github-actions

github-actions Bot commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

@github-actions

Copy link
Copy Markdown
Contributor

- **Choosing add vs override for dependency version pins (e.g. CVE fixes):**
- If the dependency already exists in the upstream `package.json` (in `dependencies`, `devDependencies`, etc.) and we need a different version → use `.rebase/override/` with the correct section. This is an override of an existing upstream value.
- If the fix uses npm `overrides` (the npm feature that pins transitive dependency versions) and the override key does not exist in upstream's `overrides` section → use `.rebase/add/`. This is additive content absent from upstream.
- Never use `.rebase/replace/` (text replacement) for `package.json` version changes — always use the JSON merge mechanism (add or override).

@RomanNikitenko RomanNikitenko Jul 10, 2026

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it's not true at least for one use case that was introduced in #648
See .rebase/replace/code/package.json.json

So - should we describe that use case as an exception or add a little info why the replace can be used?

Copy link
Copy Markdown
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

correct. this use case is very specific.
i think we should describe as an exception because this particular fix was not only about bumping package version, but more a complete change over a new package.
i'll rewrite this.

Copy link
Copy Markdown
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

re-wrote this part. please review

@github-actions

Copy link
Copy Markdown
Contributor

sbouchet and others added 2 commits July 13, 2026 17:40
Signed-off-by: Stephane Bouchet <sbouchet@redhat.com>
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants