5am Is Our Most Productive Hour. We're Still Asleep.
We haven't touched a dependency audit in months. Every morning at 5am, our AI scans every repo we manage, finds vulnerabilities, and opens the fix. We review it over coffee.
Some mornings I wake up to a Slack message that says something like:
3 dependency vulnerabilities fixed. 1 PR opened for review.
Timestamp: 5:07 AM.
I didn't do that. I was asleep.
Every codebase has a maintenance tax. Security patches. Dependency updates. Outdated libraries nobody remembers adding. They pile up slowly, quietly, until a Dependabot alert fires at the worst possible moment — right in the middle of a client sprint — and suddenly you're spending a Friday afternoon figuring out if upgrading jsonwebtoken will break anything.
Most teams deal with this one of two ways:
- Ignore it. Until something breaks or a client asks about security posture.
- Dedicate developer time. Which means a real person, with real context and real other work, sits down and handles it manually.
We picked option 3: delegate it entirely.
How It Works
We keep a registry of every repo we actively manage. Client projects, internal tools, the platform itself. Each entry has a local path and a set of flags, including whether it's eligible for automated Dependabot fixes.
At 5am every morning, a scheduled job wakes up, reads that registry, and checks each repo for open security alerts. For each one it finds, it spins up an AI agent running Claude, which reads the alert, looks at the proposed fix, evaluates the risk level, and makes a call.
Low-risk patches — patch-version bumps, well-understood libraries, no breaking changes in the diff — get auto-merged.
Higher-risk updates get a PR opened, with a plain-English summary of what changed and why it matters. That PR is sitting in my queue when I get to my desk.
The whole thing wraps up in about 45 minutes. Done before most people's alarms go off.
What We Actually Wake Up To
Not every morning has alerts. Some mornings the notification is:
Dependabot scan complete — no action needed.
That's the best one. Codebase is clean, nothing needs attention.
When there is something, the PR descriptions aren't git diffs or library changelogs. They're plain English: "This updates axios to patch a known SSRF vulnerability. The change is backwards-compatible. No breaking API changes detected. Auto-merge recommended."
We review, click merge, move on.
The Real Win Is What We Don't Think About
Maintenance work has a hidden cost that's easy to miss: mental overhead.
Every open Dependabot alert is low-grade anxiety. You know you should deal with it. You're not dealing with it. It's sitting in the back of your head alongside the other five things that are also "I should deal with that."
When the system handles it automatically, that anxiety just goes away. Not because the problem got fixed faster — because you never had to hold it at all.
We've been running this for months now. I genuinely can't remember the last time I manually reviewed a dependency update. Not because I've been ignoring them — the AI gets there before they ever reach me.
The Pattern Works Beyond Code
Dependency scanning is one example of a broader pattern: recurring maintenance that follows a predictable rule.
The rule here is: scan, evaluate risk, then either fix automatically or flag for a human. That same structure works for a lot of things:
- Email inbox triage — scan, classify, auto-respond or flag
- Monthly financial reconciliation — scan, compare, surface discrepancies
- Client onboarding checklists — scan, check completion, nudge or close out
- Content — scan new research, summarize, route to the right person
Once you've built the pattern once, you start seeing every recurring chore differently.
This Isn't Magic. It's Just Infrastructure.
None of this is plug-and-play. We built it. It took a few days to set up, test, and tune the risk evaluation logic — conservative enough to not break things, aggressive enough to actually be useful.
But you build it once and it runs forever. Every day, without anyone touching it.
The question worth asking isn't "can we automate this?" It's "how much work is it to automate this?" The answer is usually less than you think.
The best maintenance is the kind you never have to think about.
We're not there on everything yet. But every month, there's one more thing our AI handles before we're even out of bed.
Raz Mihalyi is the founder of azlabs.io, where we build custom AI systems for real estate and lending operators.