Dependency Comments
Track package changes and spot new dependencies directly in your PRs — before they land in production.
Dev Herald provides two signals for dependency visibility:
| Signal | What it shows |
|---|---|
DEPENDENCY_DIFF | Full diff — additions, removals, and version bumps |
NEW_DEPENDENCY | Only packages being introduced for the first time |
Both optionally scan for known CVEs.
Both signals require fetch-depth: 0 on your checkout step so Dev Herald can compare against the base branch.
Dependency diff
Get a full diff of added, removed, and updated packages across every PR.
name: Dependency Diff
on:
pull_request:
types: [opened, synchronize, reopened]
jobs:
dependency-diff:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Post dependency diff
uses: dev-herald/comment@v1
with:
api-key: ${{ secrets.DEV_HERALD_API_KEY }}
pr-number: ${{ github.event.pull_request.number }}
sticky-id: dependency-diff
signal: 'DEPENDENCY_DIFF'
enable-cve: 'true'
max-deps: '50'Options
| Option | Required | Default | Description |
|---|---|---|---|
signal | ✅ | — | Must be DEPENDENCY_DIFF |
sticky-id | Recommended | — | Reuses the same comment on every push |
enable-cve | No | false | Scans changed packages for known CVEs |
max-deps | No | 50 | Maximum number of dependency changes to list |
New dependency signal
Surface only packages being introduced for the first time — great for keeping a close eye on supply chain additions without the noise of routine upgrades.
- name: Post New Dependency Signal
uses: dev-herald/comment@v1
with:
api-key: ${{ secrets.DEV_HERALD_API_KEY }}
pr-number: ${{ github.event.pull_request.number }}
signal: 'NEW_DEPENDENCY'
enable-cve: 'true'
max-deps: '25'
sticky-id: new-depsOptions
| Option | Required | Default | Description |
|---|---|---|---|
signal | ✅ | — | Must be NEW_DEPENDENCY |
sticky-id | Recommended | — | Reuses the same comment on every push |
enable-cve | No | false | Scans new packages for known CVEs |
max-deps | No | 25 | Maximum number of new dependencies to list |
Using both together
Combine both signals in a single workflow to get the full picture — a diff of all package changes alongside a focused view of net-new additions:
steps:
- name: Checkout code
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Post dependency diff
uses: dev-herald/comment@v1
with:
api-key: ${{ secrets.DEV_HERALD_API_KEY }}
pr-number: ${{ github.event.pull_request.number }}
sticky-id: dependency-diff
signal: 'DEPENDENCY_DIFF'
enable-cve: 'true'
max-deps: '50'
- name: Post new dependency signal
uses: dev-herald/comment@v1
with:
api-key: ${{ secrets.DEV_HERALD_API_KEY }}
pr-number: ${{ github.event.pull_request.number }}
signal: 'NEW_DEPENDENCY'
enable-cve: 'true'
max-deps: '25'
sticky-id: new-depsEach signal posts to its own sticky comment and updates in place on every push.
Next steps
- Learn about Sticky Comments to understand how comments update in place