DEV Community

Monde kim
Monde kim

Posted on

gh-dep-risk v0.2.0: broader local fallback for dependency PR review

#github #cli #security #opensource

I built gh-dep-risk as an AI-assisted GitHub CLI extension for on-demand dependency pull request review.

The project started as a small npm-focused reviewer tool. The v0.2.0 release expands the local fallback coverage while keeping the same design boundary: GitHub Dependency Review API first, static local fallback second, no server, no dashboard, and no package-manager command execution.

Repository: https://github.com/rad1092/gh-dependency-risk

Install: gh extension install rad1092/gh-dep-risk

Release: https://github.com/rad1092/gh-dependency-risk/releases/tag/v0.2.0

What changed in v0.2.0

gh-dep-risk can now inspect direct dependency changes from more repository file shapes when GitHub Dependency Review is unavailable:

  • npm, pnpm, and Yarn Classic remain supported.
  • Python direct fallback supports requirements.txt and PEP 621 pyproject.toml declarations.
  • Poetry fallback reads Poetry dependency declarations and can enrich direct changes from poetry.lock.
  • uv.lock can enrich PEP 621 direct dependency changes with resolved version/source details.
  • Go modules fallback reads go.mod require and replace changes, while treating go.sum as checksum evidence only.
  • Yarn Berry / modern Yarn fallback reads direct package.json declarations and matching modern yarn.lock entries.
  • Bun fallback reads direct package.json declarations and matching text bun.lock entries.
  • Binary bun.lockb is handled honestly as unsupported rather than guessed.

What the tool intentionally does not do

The fallback path is static and conservative. It does not run npm, yarn, bun, poetry, uv, pip, go list, or go mod. It also does not reconstruct a full transitive graph, parse .pnp.cjs, parse binary bun.lockb, or query package registries for new ecosystem metadata.

That constraint is intentional. The CLI should be useful during review without pretending to be a resolver or managed service.

Example usage 

gh extension install rad1092/gh-dep-risk

gh dep-risk pr 123
gh dep-risk pr 123 --format json
gh dep-risk pr 123 --comment
gh dep-risk pr 123 --fail-level high
gh dep-risk pr 123 --list-targets
gh dep-risk pr 123 --path services/api
Enter fullscreen mode Exit fullscreen mode

--comment upserts one marker comment on the PR timeline. It does not create review comments, and it does not require running a server or GitHub App.

Why I built it this way

I wanted a reviewer-facing command that stays close to gh authentication and normal pull request workflows. Dependency Review remains the best source when GitHub can provide it. Local fallback exists for cases where that API is unavailable, such as unsupported repository visibility or permission boundaries.

The result is a small precompiled extension that gives a deterministic risk summary, clear notes, and JSON/markdown output without adding another service to operate.

Top comments (0)