Launching gh-dep-risk: a GitHub CLI extension for dependency PR review

Monde kim — Thu, 16 Apr 2026 07:31:32 +0000

I built gh-dep-risk to make pull request dependency review easier to run on demand.

It is a precompiled GitHub CLI extension. Reviewers can run it from the terminal, in CI, or from a manual GitHub Actions workflow without operating a server, webhook receiver, queue, database, dashboard, or GitHub App.

Repository: https://github.com/rad1092/gh-dep-risk
Latest release: https://github.com/rad1092/gh-dep-risk/releases/latest

Why a CLI extension

Dependency review often needs a quick answer during code review:

what changed
why it might be risky
what the reviewer should check next
whether the PR should block at a chosen risk level

I wanted that flow to stay close to GitHub and gh, rather than adding another always-on service.

What it does

gh-dep-risk analyzes a pull request and produces a dependency risk summary.

It can output:

human-readable terminal output
stable JSON
markdown for PR comments
a reusable output bundle for workflow artifacts

It can also upsert one marker comment on a PR timeline with --comment, and it can return a blocking exit code with --fail-level.

Current support

The current release focuses on JavaScript package managers for local fallback analysis:

npm: package.json + package-lock.json
pnpm: package.json + pnpm-lock.yaml
Yarn: package.json + yarn.lock with narrow Yarn Classic support

When GitHub Dependency Review provides data, the report can also surface dependency changes from other ecosystems. Local fallback support outside npm, pnpm, and Yarn is intentionally not claimed in this release.

That distinction matters. I do not want the tool to pretend it can analyze an ecosystem locally if it cannot do that honestly from repository files.

Example commands

gh extension install rad1092/gh-dep-risk

gh dep-risk pr 123
gh dep-risk pr https://github.com/OWNER/REPO/pull/123
gh dep-risk pr 123 --format json
gh dep-risk pr 123 --comment
gh dep-risk pr 123 --fail-level high
gh dep-risk pr 123 --bundle-dir ./out

For monorepos:

gh dep-risk pr 123 --list-targets
gh dep-risk pr 123 --path apps/web
gh dep-risk pr 123 --path package.json --comment

Config file

Teams can put defaults in .gh-dep-risk.yml:

lang: en
fail_level: high
comment: true
path:
  - apps/web
no_registry: false

CLI flags still win over config values, so reviewers can override behavior per run.

Comment behavior

--comment uses PR timeline issue comments, not review comments.

The marker is:

<!-- gh-dep-risk -->

The tool maintains exactly one marker comment owned by the authenticated user. It does not edit or delete another author's marker comment.

Workflow mode

The repository includes a manual GitHub Actions workflow for no-local-install usage. It builds the CLI, runs the analysis once, writes a job summary, and uploads the human, JSON, markdown, and metadata bundle as artifacts.

This is still the same CLI engine. The workflow is a thin wrapper, not a server.

Design boundary

The project is intentionally small:

one Go binary
GitHub CLI extension shape
on-demand execution
no server or dashboard
no broad managed-service direction

The goal is a practical reviewer tool that is easy to install, easy to run, and honest about what it can and cannot analyze locally.

DEV Community: Monde kim