Skip to main content

Weekly Dependency Update PRs

Schedule a weekly Devin session that finds outdated packages, runs your tests, and opens upgrade PRs.
AuthorCognition
CategoryAutomations
FeaturesSchedules
1

Create a weekly schedule

Open app.devin.ai and navigate to Settings > Schedules. Click Create schedule and configure it:
  • Frequency: Weekly — e.g., every Monday at 7:00 AM UTC (0 7 * * 1)
  • Prompt: Paste the dependency update prompt below
If you use a Playbook for how your team handles dependency upgrades (e.g., always run npm run build after updating, or skip devDependencies), attach it to the schedule so every run follows the same process.
2

Add Knowledge to steer updates

Not every package should be updated automatically. Go to Settings > Knowledge and add entries that tell Devin what to skip or handle carefully:
  • Do not update react past v18 — we're mid-migration to v19 on a separate branch.
  • Always pin @types/node to match our Node.js version (20.x).
  • Skip eslint-plugin-import — it conflicts with our custom lint config.
  • Our test command is npm run test:ci, not npm test.
These Knowledge entries persist across every scheduled run, so Devin respects your constraints without you repeating them in the prompt.
3

Review what Devin delivers

Each Monday, Devin checks your repo for outdated packages and opens PRs on your behalf. A typical week might produce:PR #1 — Safe updates (patch + minor):
## Dependency Updates — Week of Feb 10

| Package         | From    | To      | Type  |
|-----------------|---------|---------|-------|
| axios           | 1.6.2   | 1.6.8   | patch |
| react-query     | 5.17.0  | 5.22.1  | minor |
| tailwindcss     | 3.4.1   | 3.4.6   | patch |
| typescript      | 5.3.3   | 5.3.5   | patch |

All 847 tests passing. No vulnerabilities found by npm audit.
PR #2 — Major bump (separate, with notes):
## Major Update: zod 3.x → 4.0.0

Breaking changes (from CHANGELOG):
- `z.object().strict()` is now the default behavior
- `z.enum` requires at least one value
- Removed deprecated `.check()` method

Code changes in this PR:
- Updated 3 schema files to remove explicit `.strict()` calls
- Added fallback value to empty enum in src/schemas/status.ts
Devin runs your test suite against each PR independently, so you can merge the safe batch immediately and take time reviewing the major bumps.
4

Iterate and expand

Once your weekly schedule is running, you can refine it over time. Reply to any scheduled session to give Devin follow-up instructions:Tips for keeping things smooth:
  • Separate frontend and backend — If your repo has both, create two schedules so each PR stays focused and easy to review.
  • Let CI run fully before merging — Even safe-looking minor updates can introduce subtle bugs. Devin runs your tests, but your full CI pipeline adds another layer of confidence.
  • Check the Schedules page to monitor run history, pause a schedule during a code freeze, or adjust the cron expression.