Launching gh-dep-risk: a GitHub CLI extension for npm dependency PR review

Launching gh-dep-risk

I built gh-dep-risk to make npm dependency pull request review faster.

It is a precompiled GitHub CLI extension that summarizes dependency risk on demand, so the workflow stays inside gh instead of requiring a server, webhook receiver, database, queue, or dashboard.

What it does

• summarizes npm dependency changes in a PR
• renders human, JSON, and markdown output
• can upsert a single PR timeline marker comment with --comment
• supports --fail-level for CI and workflow gating
• supports monorepo and workspace target selection with --path and --list-targets
• supports a manual GitHub Actions workflow for no-local-install runs

Why this shape

I wanted something reviewers can run only when they need it, with existing GitHub auth and without more infrastructure to operate.

Install

gh extension install rad1092/gh-dep-risk
gh dep-risk version

Example

gh dep-risk pr 123
gh dep-risk pr 123 --format json
gh dep-risk pr 123 --comment
gh dep-risk pr 123 --fail-level high

Scope

• npm-only
• supports package.json and package-lock.json
• one Go binary

Links

• GitHub repo: https://github.com/rad1092/gh-dep-risk
• Latest release: https://github.com/rad1092/gh-dep-risk/releases/latest
• Launch discussion: https://github.com/rad1092/gh-dep-risk/discussions/1

The current public release is v0.1.5. It includes the MIT license, release-ready docs, install smoke coverage, and real PR validation.

Feedback, issues, and edge cases are welcome.