Dependency Diff
Shows a complete diff of all package changes in a PR — additions, removals, and version bumps. Optionally scans for known CVEs so reviewers have everything they need to assess the impact before merging.
Usage
- name: Post Dependency Diff
uses: dev-herald/comment@v1
with:
api-key: ${{ secrets.DEV_HERALD_KEY }}
pr-number: ${{ github.event.pull_request.number }}
sticky-id: dependency-diff
signal: 'DEPENDENCY_DIFF'
enable-cve: 'true'
max-deps: '50'Requires fetch-depth: 0 on your checkout step so Dev Herald can compare against the base branch.
Options
| Option | Required | Default | Description |
|---|---|---|---|
signal | ✅ | — | Must be DEPENDENCY_DIFF |
sticky-id | Recommended | — | Reuses the same comment on every push |
enable-cve | No | false | Scans changed packages for known CVEs |
max-deps | No | 50 | Maximum number of dependency changes to list in the comment |
How It Differs from New Dependency
DEPENDENCY_DIFF covers everything — new packages, removed packages, and version changes. Use it when you want a full audit of what changed in package.json or package-lock.json.
For a focused view of only brand-new additions, see New Dependency.
Next Steps
- See the Dependency Management guide for a full setup walkthrough
- Combine with New Dependency to call out fresh additions separately
Last updated on