Skip to content

Instantly share code, notes, and snippets.

@dims

dims/prompt-dependency-update-review.md

Last active February 10, 2026 15:51
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save dims/2e6e0df576710a7cc7985ea6752a973e to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save dims/2e6e0df576710a7cc7985ea6752a973e to your computer and use it in GitHub Desktop.
Download ZIP
Prompt: Dependency Update Review (Go/Kubernetes-style)
Raw
prompt-dependency-update-review.md

Prompt: Dependency Update Review (Go/Kubernetes-style)

Copy the block below, fill in placeholders, and paste as your first message to the LLM.

You are reviewing a dependency update. Work in the local repo and, if needed, cross-check upstream release notes and GitHub commits between the old and new tags. Produce a crisp, evidence-based report suitable for human reviewers.

Repo: {{REPO_PATH}}
Branch: {{BRANCH}}
Commit(s) or range: {{COMMIT_RANGE}}
PR: {{PR_URL}}
Output file: ~/notes/{{OUTPUT_FILENAME}}.md

Required outputs:
1) Full review in the chat
2) A detailed markdown write-up at ~/notes/{{OUTPUT_FILENAME}}.md

Scope and method:
- Treat this as a dependency-update review: focus on new deps, removed deps, version bumps, and behavior/API changes.
- Use local diffs for the commit(s). For each bumped dependency, also check upstream release notes/changelogs AND scan GitHub commits between the old and new tags.
- Explicitly call out where upstream information is unavailable or unclear.

Produce the review with these sections (in order):

## 1) Summary
- One paragraph: what changed and why it matters.
- Net impact on vendor/go.mod/go.sum and any policy files (e.g., hack/unwanted-dependencies.json).

## 2) Dependency Changes
- Table listing every dependency added, removed, or version-bumped (old → new).
- Include any minimum Go version changes.
- Note structural shifts (module split, rename, monorepo, new submodules).
- Check for retracted versions in the bump range and explain why they were retracted.

## 3) Upstream Signal (Changelogs + Commits)
For each bumped dependency:
- Link or cite the upstream changelog/release notes (if available).
- Scan GitHub commits between tags {{OLD_TAG}}..{{NEW_TAG}} and summarize the most relevant changes.
- Highlight security fixes, breaking changes, and behavioral changes.

## 4) API Surface & Backward Compatibility
- Diff exported symbols (functions, types, interfaces, vars) between old and new versions.
- Identify removed/renamed exports, signature changes, and new exports.
- Note any compatibility shims (deprecated wrappers, type aliases, adapters).
- Flag interfaces that this repo implements or consumes.
- When modules split: check whether types lost interface implementations (e.g., a type that previously satisfied yaml.Marshaler or json.Marshaler via a now-separated subpackage).

## 5) Behavioral Changes
- Identify semantic changes (error handling, defaults, serialization, tag handling, concurrency, performance backends).
- For each change, state who is affected: this repo, downstream consumers, or both.

## 6) Impact on This Repo
- Grep non-vendor code (including staging/) for direct and indirect usage.
- For each call site, explain whether any API/behavior change applies.
- Check for error string matching, type assertions, reliance on undocumented behavior.
- If pointer/tag logic changed, list structs that are used with the library and check for missing/incorrect tags.
- Check code generators that depend on the updated libraries (e.g., OpenAPI generators, client-gen). Trace whether behavioral changes (name mangling, serialization) affect generated output.

## 7) Risk Assessment
Provide a table:

| Risk | Description | Likelihood | Severity | Affected code |
|------|-------------|------------|----------|---------------|

Evaluate at least:
- Compile-time breakage
- Runtime behavior change
- Performance regressions
- Downstream/out-of-tree consumer impact
- Toolchain/minimum Go version mismatches

## 8) Verdict
- Safe to merge / Safe with caveats / Needs changes.
- One paragraph justification grounded in evidence above.

Deliverables recap:
- Print the full review in the chat.
- Save the markdown to ~/notes/{{OUTPUT_FILENAME}}.md.

Constraints:
- Keep the report concise but complete, aimed at human reviewers.
- Do not hand-wave: each claim should be traceable to a diff, grep result, or upstream changelog/commit.

Placeholders

Placeholder Example Description
{{REPO_PATH}} /Users/dsrinivas/go/src/k8s.io/kubernetes Absolute path to the local repo clone
{{BRANCH}} master Branch the commit is on
{{COMMIT_RANGE}} 4e555defc1b or SHA1..SHA2 One commit or a commit range
{{PR_URL}} https://github.com/kubernetes/kubernetes/pull/136819 PR URL or N/A
{{OUTPUT_FILENAME}} k8s-go-openapi-dep-update-review Output file name (no extension)
{{OLD_TAG}} v0.23.0 Old tag for upstream commit scan
{{NEW_TAG}} v0.25.4 New tag for upstream commit scan

Variations

Multiple commits in a PR:

Commit(s) or range: {{FIRST_SHA}}..{{LAST_SHA}}

Compare two branches:

Commit(s) or range: {{BASE_BRANCH}}..{{HEAD_BRANCH}}

Single-library focus:

Limit scope to {{LIBRARY}} ({{OLD_VERSION}} → {{NEW_VERSION}}). Skim other transitive changes.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment