I built gh-dep-risk to make pull request dependency review easier to run on demand.
It is a precompiled GitHub CLI extension. Reviewers can run it from the terminal, in CI, or from a manual GitHub Actions workflow without operating a server, webhook receiver, queue, database, dashboard, or GitHub App.
Repository: https://github.com/rad1092/gh-dep-risk
Latest release: https://github.com/rad1092/gh-dep-risk/releases/latest
Why a CLI extension
Dependency review often needs a quick answer during code review:
- what changed
- why it might be risky
- what the reviewer should check next
- whether the PR should block at a chosen risk level
I wanted that flow to stay close to GitHub and gh, rather than adding another always-on service.
What it does
gh-dep-risk analyzes a pull request and produces a dependency risk summary.
It can output:
- human-readable terminal output
- stable JSON
- markdown for PR comments
- a reusable output bundle for workflow artifacts
It can also upsert one marker comment on a PR timeline with --comment, and it can return a blocking exit code with --fail-level.
Current support
The current release focuses on JavaScript package managers for local fallback analysis:
- npm:
package.json+package-lock.json - pnpm:
package.json+pnpm-lock.yaml - Yarn:
package.json+yarn.lockwith narrow Yarn Classic support
When GitHub Dependency Review provides data, the report can also surface dependency changes from other ecosystems. Local fallback support outside npm, pnpm, and Yarn is intentionally not claimed in this release.
That distinction matters. I do not want the tool to pretend it can analyze an ecosystem locally if it cannot do that honestly from repository files.
Example commands
gh extension install rad1092/gh-dep-risk
gh dep-risk pr 123
gh dep-risk pr https://github.com/OWNER/REPO/pull/123
gh dep-risk pr 123 --format json
gh dep-risk pr 123 --comment
gh dep-risk pr 123 --fail-level high
gh dep-risk pr 123 --bundle-dir ./out
For monorepos:
gh dep-risk pr 123 --list-targets
gh dep-risk pr 123 --path apps/web
gh dep-risk pr 123 --path package.json --comment
Config file
Teams can put defaults in .gh-dep-risk.yml:
lang: en
fail_level: high
comment: true
path:
- apps/web
no_registry: false
CLI flags still win over config values, so reviewers can override behavior per run.
Comment behavior
--comment uses PR timeline issue comments, not review comments.
The marker is:
<!-- gh-dep-risk -->
The tool maintains exactly one marker comment owned by the authenticated user. It does not edit or delete another author's marker comment.
Workflow mode
The repository includes a manual GitHub Actions workflow for no-local-install usage. It builds the CLI, runs the analysis once, writes a job summary, and uploads the human, JSON, markdown, and metadata bundle as artifacts.
This is still the same CLI engine. The workflow is a thin wrapper, not a server.
Design boundary
The project is intentionally small:
- one Go binary
- GitHub CLI extension shape
- on-demand execution
- no server or dashboard
- no broad managed-service direction
The goal is a practical reviewer tool that is easy to install, easy to run, and honest about what it can and cannot analyze locally.
Top comments (0)