Signals
Health reports are built from structured signal payloads. Each ingest must include at least one signal section under signals.
For request bodies, field types, validation rules, and example payloads, see the API Reference.
dependencies
Package inventory and vulnerability summary — typically collected from your lockfile by the dev-herald/health action.
| Field | Description |
|---|---|
total | Total dependency count |
production | Production dependency count |
development | Development dependency count |
vulnerabilities | Counts by severity (critical, high, medium, low) |
Shown in the dashboard and Slack summaries as dependency counts and vulnerability badges. Compared against the previous report for deltas.
bundle
Aggregate JS/CSS bundle metrics with per-route attribution. Send every route you measure — Dev Herald derives top routes for display by sorting on size.
| Field | Description |
|---|---|
totalBytes | Total bundle size in bytes |
jsBytes | JavaScript size in bytes |
cssBytes | CSS size in bytes |
routes | Per-route breakdown |
Each route must include at least one size field (totalBytes, uncompressedBytes, or compressedBytes). Optional moduleCount tracks how many modules are attributed to a route.
Bundle regressions and improvements are highlighted in the dashboard with week-over-week deltas.
unusedCode
Dead-code and unused-artifact lists from tools like Knip. Counts in the dashboard are derived from list lengths.
| Field | Description |
|---|---|
unusedFilesList | Source files with no imports |
unusedDepsList | Dependencies listed in package.json but never imported |
unusedTypeExportsList | Exported types with no consumers |
The dev-herald/health action maps Knip JSON output to this signal when knip-report-path is set. Findings can be opened in Cursor or other AI editors from the dashboard.
cve
Detailed CVE findings from a lockfile scan. Typically collected automatically by the dev-herald/health action when lockfile-path is set.
Set cve-detail: "true" on the action to include per-advisory details (advisory ID, affected package, severity, description). With "false" (the default), only aggregate vulnerability counts are sent under dependencies.vulnerabilities.
Production and development dependencies are reported separately under prod and dev scopes.
Next steps
- Quick Start — Add health reporting to CI
- API Reference — Full OpenAPI schema for the ingest endpoint