Dependency Bot API Drift
Fires when a dependency bot PR (Dependabot, Renovate, Snyk) contains both a lockfile change and a public API method signature change in C# files.
Why this rule exists
Dependency bot PRs are usually skim-reviewed. A bot PR that also changes a public method signature is either a malicious supply chain attack or an unannounced breaking upgrade. Both deserve a hard stop.
Code example
// Dependabot PR "bump SomeLib from 1.2 to 1.3"
packages.lock.json | 4 ++--
+ src/Api/UserController.cs
+ - public Task<User> Get(int id)
+ + public Task<User> Get(Guid id) // Dependabot PR contains only the lockfile diff.
packages.lock.json | 4 ++--Configuration
Disable or adjust the severity of this rule in .gauntletci.json:
{
"rules": {
"GCI0052": { "enabled": true, "severity": "Block" }
}
}See Configuration for the full schema.
Related rules
Breaking Change Risk
Detects [Obsolete] attribute additions and removals on public APIs. Removing a deprecation guard is Block-severity; adding one is a Warn-level review signal.
Lockfile Changed Without Source Review
Fires when a diff contains only lockfile changes with no accompanying source-file edits, which can hide malicious dependency upgrades.
Discussed in
Implemented in src/GauntletCI.Core/Rules/Implementations/GCI0052_*.cs.
Eric Cogen -- Founder, GauntletCI
Twenty years as a senior technical consultant building and modernizing enterprise platforms across .NET, AWS, serverless, microservices, and AI-driven systems.