Don't merge 100's of Dependabot PRs alone. Get PatchWave.

Auto-merge ~65% of Dependabot PRs.

PatchWave combines static analysis with AI to safely auto-merge the majority of Dependabot PRs.

Dependabot PRs0/7merged

acme/checkout-web Bump lodash 4.17.20 → 4.17.21
#89 opened 5 hours ago by dependabot[bot]•Patch
Critical
acme/payments-api Bump jose 4.15.4 → 4.15.9
#445 opened 8 hours ago by dependabot[bot]•Patch
Medium
acme/notification-worker Bump debug 4.3.4 → 4.3.6
#112 opened 4 hours ago by dependabot[bot]•Patch
checks pass
acme/notification-worker Bump semver 7.5.4 → 7.6.2
#318 opened 1 hour ago by dependabot[bot]•Patch
High
acme/checkout-web Bump postcss 8.4.31 → 8.4.38
#207 opened 3 hours ago by dependabot[bot]•Patch
Medium
acme/auth-service Bump @types/node 20.11.0 → 20.14.2
#156 opened 7 hours ago by dependabot[bot]•Patch
checks pass
acme/internal-dashboard Bump vite 5.2.8 → 5.2.11
#401 opened 2 hours ago by dependabot[bot]•Patch
checks pass

Review the rest in half the time.

For the minority of PRs that need human attention, PatchWave answers: what changed?, what broke?, and how do I fix it?

Dependabot PRs5/5need review

acme/payments-api Bump express 4.18.2 → 4.21.0
#412 opened 2 hours ago by dependabot[bot]•Minor
review
BlockedChecks failed before PatchWave could merge.
What changed
•Express 4.21 tightens redirect handling and patches prototype pollution exposure in cookie parsing.
•Fixes 2 CVEs; highest severity: critical.
•criticalCVE-2024-29041Open redirect vulnerability
•highCVE-2024-47764Cookie poisoning via __proto__
What failed
•CI / integration-tests failed — Checkout API contract test still expects Express 4.18 response headers.
View action logs
What to do next
•services/checkout/test/contracts/express-response.test.ts:42 — Update the expected X-Powered-By and redirect header assertions for Express 4.21.
•services/checkout/src/middleware/redirects.ts:18 — Normalize redirect targets with the patched Express URL parser before allowlist checks.
acme/auth-service Bump jsonwebtoken 8.5.1 → 9.0.2
#156 opened 1 day ago by dependabot[bot]•Major
review
BlockedChecks failed before PatchWave could merge.
What changed
•jsonwebtoken 9 rejects unsigned tokens by default and requires explicit algorithm handling.
•Fixes 2 CVEs; highest severity: critical.
•criticalCVE-2022-23529Remote code execution via key manipulation
•highCVE-2022-23540Insecure implementation of key retrieval
What failed
•CI / node-20-test failed — JWT verification tests fail because the new major rejects unsigned tokens by default.
View action logs
What to do next
•services/auth/src/jwt/verify-token.ts:31 — Pass an explicit algorithms allowlist to jwt.verify and remove the unsigned-token fallback.
•services/auth/test/jwt/verify-token.test.ts:74 — Replace the unsigned-token fixture with an RS256 fixture signed by the test key.
acme/payments-api Bump axios 1.6.0 → 1.7.4
#201 opened 3 hours ago by dependabot[bot]•Minor
review
BlockedChecks failed before PatchWave could merge.
What changed
•Axios 1.7 fixes SSRF-prone URL parsing and normalizes absolute URLs more strictly.
•Fixes 1 CVE; highest severity: high.
•highCVE-2024-39338SSRF via unexpected URL parsing
What failed
•CI / security-smoke failed — SSRF regression test needs the new axios URL-parser allowlist behavior accounted for.
View action logs
What to do next
•services/payments/src/http/safe-client.ts:56 — Apply the internal host allowlist before constructing the axios request config.
acme/internal-dashboard Bump follow-redirects 1.15.3 → 1.15.6
#334 opened 6 hours ago by dependabot[bot]•Patch
review
WaitingWaiting on checks before a merge decision.
What changed
•follow-redirects 1.15.6 prevents Authorization and Cookie headers from leaking across redirects.
•Fixes 1 CVE; highest severity: high.
•highCVE-2024-28849Exposure of private information
What failed
•PatchWave is holding this patch update until CI reports back. It currently carries 1 high CVE.
What to do next
•apps/internal-dashboard/src/lib/download-report.ts:22 — Remove manual redirect header forwarding before approving the patched client.
acme/checkout-web Bump rimraf 3.0.2 → 5.0.7
#55 opened 2 days ago by dependabot[bot]•Major
review
Needs reviewHuman review required before merging.
What changed
•rimraf 5 drops legacy Node support and moves cleanup calls to the promise-based API.
What failed
•This major update sits outside the auto-merge threshold, even though it addresses no known CVEs. PatchWave surfaced it so an owner can make the tradeoff explicitly.
What to do next
•apps/checkout/scripts/cleanup-temp-files.ts:9 — Replace the callback-style rimraf import with the new promise API before approving the major bump.

Don't merge 100's of Dependabot PRs alone. Get PatchWave.

You're on the list!

Auto-merge ~65% of Dependabot PRs.

Review the rest in half the time.

What changed

What failed

What to do next

What changed

What failed

What to do next

What changed

What failed

What to do next

What changed

What failed

What to do next

What changed

What failed

What to do next

See what Dependabot PRs cost your org with a free custom report.