Skip to Content
Common WorkflowsDependency Management

Dependency Management

Track package changes and spot new dependencies directly in your PRs — before they land in production.

Dependency Diff

Get a full diff of added, removed, and updated packages across every PR. Optionally enable CVE scanning to flag known vulnerabilities automatically.

name: Dependency Diff
 
on:
  pull_request:
    types: [opened, synchronize, reopened]
 
jobs:
  dependency-diff:
    runs-on: ubuntu-latest
 
    steps:
      - name: Checkout code
        uses: actions/checkout@v4
        with:
          fetch-depth: 0
 
      - name: Post dependency diff
        uses: dev-herald/comment@v1
        with:
          api-key: ${{ secrets.DEV_HERALD_KEY }}
          pr-number: ${{ github.event.pull_request.number }}
          sticky-id: dependency-diff
          signal: 'DEPENDENCY_DIFF'
          enable-cve: 'true'
          max-deps: '50'

fetch-depth: 0 is required so Dev Herald can compare the full package history between the base and head branches.

New Dependency Signal

Want to call out brand-new packages specifically? Use NEW_DEPENDENCY to surface only the packages being introduced for the first time — great for keeping a close eye on supply chain additions.

name: Dependency Diff
 
on:
  pull_request:
    types: [opened, synchronize, reopened]
 
jobs:
  dependency-diff:
    runs-on: ubuntu-latest
 
    steps:
      - name: Checkout code
        uses: actions/checkout@v4
        with:
          fetch-depth: 0
 
      - name: Post New Dependency Signal
        uses: dev-herald/comment@v1
        with:
          api-key: ${{ secrets.DEV_HERALD_KEY }}
          pr-number: ${{ github.event.pull_request.number }}
          signal: 'NEW_DEPENDENCY'
          enable-cve: 'true'
          max-deps: '25'
          sticky-id: 'new-deps'

fetch-depth: 0 is required so Dev Herald can compare the full package history between the base and head branches.

Using Both Together

You can combine both signals in a single workflow to get the full picture — a diff of all package changes alongside a focused view of net-new additions:

steps:
  - name: Checkout code
    uses: actions/checkout@v4
    with:
      fetch-depth: 0
 
  - name: Post dependency diff
    uses: dev-herald/comment@v1
    with:
      api-key: ${{ secrets.DEV_HERALD_KEY }}
      pr-number: ${{ github.event.pull_request.number }}
      sticky-id: dependency-diff
      signal: 'DEPENDENCY_DIFF'
      enable-cve: 'true'
      max-deps: '50'
 
  - name: Post new dependency signal
    uses: dev-herald/comment@v1
    with:
      api-key: ${{ secrets.DEV_HERALD_KEY }}
      pr-number: ${{ github.event.pull_request.number }}
      signal: 'NEW_DEPENDENCY'
      enable-cve: 'true'
      max-deps: '25'
      sticky-id: 'new-deps'

Each signal posts to its own sticky comment and updates in place on every push.

Next Steps

Last updated on
PlaywrightData & Privacy