The latest articles on DEV Community by Monde kim (@rad1092). https://dev.to/rad1092 https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3881867%2Fe2e02ace-0f34-4232-92a6-ac34ccc77f67.png https://dev.to/rad1092 en Monde kim Thu, 16 Apr 2026 07:31:32 +0000 https://dev.to/rad1092/gh-dep-risk-a-github-cli-extension-for-npm-pr-dependency-risk-review-410j https://dev.to/rad1092/gh-dep-risk-a-github-cli-extension-for-npm-pr-dependency-risk-review-410j <h1> Launching gh-dep-risk </h1> <p>I built <code>gh-dep-risk</code> to make npm dependency pull request review faster.</p> <p>It is a precompiled GitHub CLI extension that summarizes dependency risk on demand, so the workflow stays inside <code>gh</code> instead of requiring a server, webhook receiver, database, queue, or dashboard.</p> <h2> What it does </h2> <ul> <li>summarizes npm dependency changes in a PR</li> <li>renders human, JSON, and markdown output</li> <li>can upsert a single PR timeline marker comment with <code>--comment</code> </li> <li>supports <code>--fail-level</code> for CI and workflow gating</li> <li>supports monorepo and workspace target selection with <code>--path</code> and <code>--list-targets</code> </li> <li>supports a manual GitHub Actions workflow for no-local-install runs</li> </ul> <h2> Why this shape </h2> <p>I wanted something reviewers can run only when they need it, with existing GitHub auth and without more infrastructure to operate.</p> <h2> Install </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>gh extension <span class="nb">install </span>rad1092/gh-dep-risk gh dep-risk version </code></pre> </div> <h2> Example </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>gh dep-risk <span class="nb">pr </span>123 gh dep-risk <span class="nb">pr </span>123 <span class="nt">--format</span> json gh dep-risk <span class="nb">pr </span>123 <span class="nt">--comment</span> gh dep-risk <span class="nb">pr </span>123 <span class="nt">--fail-level</span> high </code></pre> </div> <h2> Scope </h2> <ul> <li>npm-only</li> <li>supports <code>package.json</code> and <code>package-lock.json</code> </li> <li>one Go binary</li> </ul> <h2> Links </h2> <ul> <li>GitHub repo: <a href="https://github.com/rad1092/gh-dep-risk" rel="noopener noreferrer">https://github.com/rad1092/gh-dep-risk</a> </li> <li>Latest release: <a href="https://github.com/rad1092/gh-dep-risk/releases/latest" rel="noopener noreferrer">https://github.com/rad1092/gh-dep-risk/releases/latest</a> </li> <li>Launch discussion: <a href="https://github.com/rad1092/gh-dep-risk/discussions/1" rel="noopener noreferrer">https://github.com/rad1092/gh-dep-risk/discussions/1</a> </li> </ul> <p>The current public release is <code>v0.1.5</code>. It includes the MIT license, release-ready docs, install smoke coverage, and real PR validation.</p> <p>Feedback, issues, and edge cases are welcome.</p> github cli security npm