When Dependabot gets stuck, Wolf shows up.
Dependabot says "cannot update to a non-vulnerable version" when dependency graphs are too complex. Alert sits there. Nobody fixes it.
- Finds stuck Dependabot alerts (no PR exists)
- Creates an issue with vulnerability details
- Assigns it to Copilot
Copilot attempts the fix and creates a PR. Might work, might not - but at least it tries.
- Settings → Developer settings → Personal access tokens → Fine-grained tokens
- Generate new token
- Repository access: Select your repo
- Permissions:
- Actions: Read and write
- Contents: Read and write
- Dependabot alerts: Read-only
- Issues: Read and write
- Pull requests: Read and write
- Copy token
- Settings → Secrets and variables → Actions
- New repository secret
- Name:
DEPENDABOT_PAT, Value: your token
Copy .github/workflows/dependabot-wolf.yml to your repo.
Settings → Code security and analysis → Enable Dependabot alerts
Done. Runs daily at midnight, or manually via Actions tab.
- Always review PRs before merging
- Tested with npm and Go, should work with other package managers
- "If I'm curt with you it's because time is a factor." - Mr. Wolf
MIT