New Dependency
Highlights brand-new packages being introduced in a PR — packages that don’t exist in the base branch at all. Optionally scans them for known CVEs so reviewers can catch supply chain risks before they merge.
Usage
- name: Post New Dependency Signal
uses: dev-herald/comment@v1
with:
api-key: ${{ secrets.DEV_HERALD_KEY }}
pr-number: ${{ github.event.pull_request.number }}
signal: 'NEW_DEPENDENCY'
enable-cve: 'true'
max-deps: '25'
sticky-id: 'new-deps'Requires fetch-depth: 0 on your checkout step so Dev Herald can compare against the base branch.
Options
| Option | Required | Default | Description |
|---|---|---|---|
signal | ✅ | — | Must be NEW_DEPENDENCY |
sticky-id | Recommended | — | Reuses the same comment on every push |
enable-cve | No | false | Scans new packages for known CVEs |
max-deps | No | 25 | Maximum number of new dependencies to list in the comment |
How It Differs from Dependency Diff
NEW_DEPENDENCY only surfaces packages that are being added for the first time — it ignores version bumps and removals. Use it when you want focused visibility on supply chain additions without the noise of routine upgrades.
For a complete picture of all package changes, see Dependency Diff.
Next Steps
- See the Dependency Management guide for a full setup walkthrough
- Combine with Dependency Diff for complete package change visibility
Last updated on