CLI

Run Dependabot updates locally from your machine, CI/CD pipelines, or any environment with Docker.

The Paklo CLI is a powerful command-line tool for running Dependabot updates against your repositories. Unlike the extension or hosted version, the CLI gives you complete control over when and where updates run.

Installation

Requirements:

Node.js 24 or later
Docker (Docker Desktop on macOS/Windows, Docker Engine on Linux)

Global Installation

npm install -g @paklo/cli
paklo --version

Using npx (No Installation)

npx @paklo/cli --help

Verify Installation

# Check CLI is installed
paklo --version

# Check Docker is running
docker ps

Quick Start

Validate Configuration (optional)

First, validate your dependabot.yml file:

paklo validate \
  --provider azure \
  --repository-url https://dev.azure.com/my-org/my-project/_git/my-repo \
  --git-token $GIT_ACCESS_TOKEN

Run Updates

Execute dependency updates:

paklo run \
  --provider azure \
  --repository-url https://dev.azure.com/my-org/my-project/_git/my-repo \
  --git-token $GIT_ACCESS_TOKEN \
  --github-token $GITHUB_TOKEN

Clean Up (optional)

Remove old Docker resources:

paklo cleanup

Commands

validate

Validates your dependabot.yml configuration file against a repository.

paklo validate [options]

Required Options:

--provider <PROVIDER> - Repository provider (currently only azure is supported)
--repository-url <URL> - Repository URL (e.g., https://dev.azure.com/my-org/project/_git/repo)
--git-token <GIT_TOKEN> - Git provider access token

Example:

paklo validate \
  --provider azure \
  --repository-url https://dev.azure.com/my-org/my-project/_git/my-repo \
  --git-token $GIT_ACCESS_TOKEN

run

Executes Dependabot updates for the specified repository.

paklo run [options]

Required Options:

--provider <PROVIDER> - Repository provider (currently only azure is supported)
--repository-url <URL> - Repository URL
--git-token <GIT_TOKEN> - Git provider access token

Optional Options:

Option	Description	Default
`--github-token <TOKEN>`	GitHub token to avoid rate limiting	-
`--out-dir <DIR>`	Working directory for updates	`work`
`--auto-approve`	Automatically approve pull requests	`false`
`--auto-approve-token <TOKEN>`	Token for auto-approve (if different from git-token)	-
`--set-auto-complete`	Auto-complete PRs when policies are met	`false`
`--merge-strategy <STRATEGY>`	Merge strategy: `squash`, `rebase`, `merge`	`squash`
`--auto-complete-ignore-config-ids <IDS>`	Config IDs to ignore for auto-complete	-
`--author-name <NAME>`	Git author name	`dependabot[bot]`
`--author-email <EMAIL>`	Git author email	`noreply@github.com`
`--target-update-ids <IDS>`	Specific update IDs to run (comma-separated)	All
`--security-advisories-file <FILE>`	Path to custom security advisories JSON file	-
`--experiments <EXPERIMENTS>`	Comma-separated experiments to enable	-
`--updater-image <IMAGE>`	Custom Dependabot updater Docker image	-
`--command <COMMAND>`	Dependabot command: `update`, `security-update`	-
`--inspect`	Write API requests to `./inspections` for troubleshooting	`false`
`--port <PORT>`	Port for internal API server	Random
`--debug`	Enable debug logging	`false`
`--dry-run`	Run without making changes	`false`

Example:

paklo run \
  --provider azure \
  --repository-url https://dev.azure.com/my-org/my-project/_git/my-repo \
  --git-token $GIT_ACCESS_TOKEN \
  --github-token $GITHUB_TOKEN \
  --auto-approve \
  --set-auto-complete \
  --merge-strategy squash \
  --experiments "record_ecosystem_versions,separate_major_minor_updates" \
  --debug

fetch-images

Pre-fetch Docker images used by Dependabot. Useful for testing image existence or package manager mapping.

paklo fetch-images <packageManager>

Required Arguments:

<packageManager> - The package manager to fetch the updater image for (e.g., npm_and_yarn, bundler, pip, cargo, etc.)

Example:

# Fetch images for npm_and_yarn
paklo fetch-images npm_and_yarn

# Fetch images for bundler
paklo fetch-images bundler

This downloads the updater Docker image for the specified package manager and the proxy image.

cleanup

Removes old Docker images and containers created by Dependabot.

paklo cleanup [options]

Options:

--cutoff <DURATION> - Remove resources older than duration (e.g., 24h, 7d) | Default: 24h

Examples:

# Remove resources older than 24 hours (default)
paklo cleanup

# Remove resources older than 7 days
paklo cleanup --cutoff 7d

# Remove all Dependabot resources
paklo cleanup --cutoff 0s

Configuration

The CLI uses standard configuration files. See Configuration for complete options.

Variable Substitution

Use $VARIABLE or ${VARIABLE} syntax for environment variables:

registries:
  private-npm:
    type: npm-registry
    url: https://npm.example.com
    token: $NPM_TOKEN

These will be pulled from environment variables. You'll be prompted for missing variables.

Logging

Set verbosity level:

paklo -v trace run ...  # Most detailed
paklo -v debug run ...  # Debug information
paklo -v info run ...   # Standard (default)
paklo -v warn run ...   # Warnings only
paklo -v error run ...  # Errors only

Advanced Usage

Target Specific Updates

Run only certain update configurations:

# Run only the update configurations at index 1 and 3
paklo run ... --target-update-ids 1,3

Custom Experiments

Enable experimental features:

paklo run ... --experiments "tidy=true,vendor=true,goprivate=*"

See Experiments for usage patterns.

Inspect Mode

Debug Dependabot API interactions:

paklo run ... --inspect

Creates ./inspections/ directory with JSON files of API requests and responses.

Dry Run

Test without making changes:

paklo run ... --dry-run

Performs update checks but doesn't create pull requests.

Proxy Configuration

Configure HTTP/HTTPS proxies:

export HTTP_PROXY=http://proxy.company.com:8080
export HTTPS_PROXY=http://proxy.company.com:8080
export NO_PROXY=localhost,127.0.0.1,.company.com

Troubleshooting

Common Issues

Docker not running:

Error: Cannot connect to the Docker daemon

Solution: Start Docker Desktop or Docker daemon.

Network connectivity:

Error: getaddrinfo ENOTFOUND

Solution: Check network/proxy configuration. May need to configure proxy environment variables.

Debug Mode

Enable detailed logging:

paklo -v trace run ... --debug

This provides:

Docker container logs
API request/response details
Detailed error stack traces

Inspect Failed Updates

Use inspect mode to capture API interactions:

paklo run ... --inspect

Check ./inspections/ for JSON files with request/response data.

Clean Docker State

If updates fail due to Docker issues:

# Remove all Dependabot resources
paklo cleanup --cutoff 0s

How is this guide?

Last updated on

Installation

Requirements:

Node.js 24 or later
Docker (Docker Desktop on macOS/Windows, Docker Engine on Linux)

Global Installation

npm install -g @paklo/cli
paklo --version

Using npx (No Installation)

npx @paklo/cli --help

Verify Installation

# Check CLI is installed
paklo --version

# Check Docker is running
docker ps

Quick Start

Validate Configuration (optional)

First, validate your dependabot.yml file:

paklo validate \
  --provider azure \
  --repository-url https://dev.azure.com/my-org/my-project/_git/my-repo \
  --git-token $GIT_ACCESS_TOKEN

Run Updates

Execute dependency updates:

paklo run \
  --provider azure \
  --repository-url https://dev.azure.com/my-org/my-project/_git/my-repo \
  --git-token $GIT_ACCESS_TOKEN \
  --github-token $GITHUB_TOKEN

Clean Up (optional)

Remove old Docker resources:

paklo cleanup

Commands

validate

Validates your dependabot.yml configuration file against a repository.

paklo validate [options]

Required Options:

--provider <PROVIDER> - Repository provider (currently only azure is supported)
--repository-url <URL> - Repository URL (e.g., https://dev.azure.com/my-org/project/_git/repo)
--git-token <GIT_TOKEN> - Git provider access token

Example:

paklo validate \
  --provider azure \
  --repository-url https://dev.azure.com/my-org/my-project/_git/my-repo \
  --git-token $GIT_ACCESS_TOKEN

run

Executes Dependabot updates for the specified repository.

paklo run [options]

Required Options:

--provider <PROVIDER> - Repository provider (currently only azure is supported)
--repository-url <URL> - Repository URL
--git-token <GIT_TOKEN> - Git provider access token

Optional Options:

Option	Description	Default
`--github-token <TOKEN>`	GitHub token to avoid rate limiting	-
`--out-dir <DIR>`	Working directory for updates	`work`
`--auto-approve`	Automatically approve pull requests	`false`
`--auto-approve-token <TOKEN>`	Token for auto-approve (if different from git-token)	-
`--set-auto-complete`	Auto-complete PRs when policies are met	`false`
`--merge-strategy <STRATEGY>`	Merge strategy: `squash`, `rebase`, `merge`	`squash`
`--auto-complete-ignore-config-ids <IDS>`	Config IDs to ignore for auto-complete	-
`--author-name <NAME>`	Git author name	`dependabot[bot]`
`--author-email <EMAIL>`	Git author email	`noreply@github.com`
`--target-update-ids <IDS>`	Specific update IDs to run (comma-separated)	All
`--security-advisories-file <FILE>`	Path to custom security advisories JSON file	-
`--experiments <EXPERIMENTS>`	Comma-separated experiments to enable	-
`--updater-image <IMAGE>`	Custom Dependabot updater Docker image	-
`--command <COMMAND>`	Dependabot command: `update`, `security-update`	-
`--inspect`	Write API requests to `./inspections` for troubleshooting	`false`
`--port <PORT>`	Port for internal API server	Random
`--debug`	Enable debug logging	`false`
`--dry-run`	Run without making changes	`false`

Example:

paklo run \
  --provider azure \
  --repository-url https://dev.azure.com/my-org/my-project/_git/my-repo \
  --git-token $GIT_ACCESS_TOKEN \
  --github-token $GITHUB_TOKEN \
  --auto-approve \
  --set-auto-complete \
  --merge-strategy squash \
  --experiments "record_ecosystem_versions,separate_major_minor_updates" \
  --debug

fetch-images

Pre-fetch Docker images used by Dependabot. Useful for testing image existence or package manager mapping.

paklo fetch-images <packageManager>

Required Arguments:

<packageManager> - The package manager to fetch the updater image for (e.g., npm_and_yarn, bundler, pip, cargo, etc.)

Example:

# Fetch images for npm_and_yarn
paklo fetch-images npm_and_yarn

# Fetch images for bundler
paklo fetch-images bundler

This downloads the updater Docker image for the specified package manager and the proxy image.

cleanup

Removes old Docker images and containers created by Dependabot.

paklo cleanup [options]

Options:

--cutoff <DURATION> - Remove resources older than duration (e.g., 24h, 7d) | Default: 24h

Examples:

# Remove resources older than 24 hours (default)
paklo cleanup

# Remove resources older than 7 days
paklo cleanup --cutoff 7d

# Remove all Dependabot resources
paklo cleanup --cutoff 0s

Configuration

The CLI uses standard configuration files. See Configuration for complete options.

Variable Substitution

Use $VARIABLE or ${VARIABLE} syntax for environment variables:

registries:
  private-npm:
    type: npm-registry
    url: https://npm.example.com
    token: $NPM_TOKEN

These will be pulled from environment variables. You'll be prompted for missing variables.

Logging

Set verbosity level:

paklo -v trace run ...  # Most detailed
paklo -v debug run ...  # Debug information
paklo -v info run ...   # Standard (default)
paklo -v warn run ...   # Warnings only
paklo -v error run ...  # Errors only

Advanced Usage

Target Specific Updates

Run only certain update configurations:

# Run only the update configurations at index 1 and 3
paklo run ... --target-update-ids 1,3

Custom Experiments

Enable experimental features:

paklo run ... --experiments "tidy=true,vendor=true,goprivate=*"

See Experiments for usage patterns.

Inspect Mode

Debug Dependabot API interactions:

paklo run ... --inspect

Creates ./inspections/ directory with JSON files of API requests and responses.

Dry Run

Test without making changes:

paklo run ... --dry-run

Performs update checks but doesn't create pull requests.

Proxy Configuration

Configure HTTP/HTTPS proxies:

export HTTP_PROXY=http://proxy.company.com:8080
export HTTPS_PROXY=http://proxy.company.com:8080
export NO_PROXY=localhost,127.0.0.1,.company.com

Troubleshooting

Common Issues

Docker not running:

Error: Cannot connect to the Docker daemon

Solution: Start Docker Desktop or Docker daemon.

Network connectivity:

Error: getaddrinfo ENOTFOUND

Solution: Check network/proxy configuration. May need to configure proxy environment variables.

Debug Mode

Enable detailed logging:

paklo -v trace run ... --debug

This provides:

Docker container logs
API request/response details
Detailed error stack traces

Inspect Failed Updates

Use inspect mode to capture API interactions:

paklo run ... --inspect

Check ./inspections/ for JSON files with request/response data.

Clean Docker State

If updates fail due to Docker issues:

# Remove all Dependabot resources
paklo cleanup --cutoff 0s

How is this guide?

Last updated on

On this page

CLI

On this page