Skip to Content

Signals

Health reports are built from structured signal payloads. Each ingest must include at least one signal section under signals.

For request bodies, field types, validation rules, and example payloads, see the API Reference.

dependencies

Package inventory and vulnerability summary — typically collected from your lockfile by the dev-herald/health action.

FieldDescription
totalTotal dependency count
productionProduction dependency count
developmentDevelopment dependency count
vulnerabilitiesCounts by severity (critical, high, medium, low)

Shown in the dashboard and Slack summaries as dependency counts and vulnerability badges. Compared against the previous report for deltas.

bundle

Aggregate JS/CSS bundle metrics with per-route attribution. Send every route you measure — Dev Herald derives top routes for display by sorting on size.

FieldDescription
totalBytesTotal bundle size in bytes
jsBytesJavaScript size in bytes
cssBytesCSS size in bytes
routesPer-route breakdown

Each route must include at least one size field (totalBytes, uncompressedBytes, or compressedBytes). Optional moduleCount tracks how many modules are attributed to a route.

Bundle regressions and improvements are highlighted in the dashboard with week-over-week deltas.

unusedCode

Dead-code and unused-artifact lists from tools like Knip. Counts in the dashboard are derived from list lengths.

FieldDescription
unusedFilesListSource files with no imports
unusedDepsListDependencies listed in package.json but never imported
unusedTypeExportsListExported types with no consumers

The dev-herald/health action maps Knip JSON output to this signal when knip-report-path is set. Findings can be opened in Cursor or other AI editors from the dashboard.

cve

Detailed CVE findings from a lockfile scan. Typically collected automatically by the dev-herald/health action when lockfile-path is set.

Set cve-detail: "true" on the action to include per-advisory details (advisory ID, affected package, severity, description). With "false" (the default), only aggregate vulnerability counts are sent under dependencies.vulnerabilities.

Production and development dependencies are reported separately under prod and dev scopes.

Next steps

Last updated on