DEV Community

Monde kim
Monde kim

Posted on

gh-dep-risk v0.2.1: real smoke matrix, cleaner docs, longer demo

#github #security #opensource #devtools

I just shipped gh-dep-risk v0.2.1.

gh-dep-risk is a precompiled GitHub CLI extension for on-demand dependency risk summaries in pull requests. It is not a server, GitHub App, webhook receiver, queue, database, or dashboard. It runs as gh dep-risk and reuses normal GitHub CLI authentication.

gh-dep-risk terminal demo

What changed

This release is mostly about making the tool less like a demo and more like something I can trust during real review work.

  • Fixed a Yarn Classic local fallback panic when a package target exists only on the pull request head side.
  • Treated registry.yarnpkg.com as a normal Yarn registry source instead of warning on ordinary Yarn Classic lockfile entries.
  • Reworked the README down to the essentials and moved the detailed contracts into docs/support-matrix.md and docs/behavior.md.
  • Replaced the short README GIF with a longer demo generated from real CLI runs against owned live fixture PRs.
  • Expanded install-smoke so the published extension is installed and run across the full live matrix on Linux, macOS, and Windows.

What the live matrix covers

The release was checked against real pull requests for:

  • npm
  • pnpm workspace
  • Yarn Classic
  • Python requirements.txt
  • Python PEP 621
  • Poetry
  • uv
  • Go modules
  • Yarn Berry / modern Yarn
  • Bun text bun.lock
  • unsupported binary bun.lockb behavior, which correctly exits with code 2 instead of pretending to analyze it

I also ran comment-mode smoke against a dedicated owned repository. It updated my own <!-- gh-dep-risk --> marker comment and left the existing github-actions[bot] marker alone.

Positioning

I looked again at the shape of GitHub's Dependency Review Action, OSV Scanner, and reviewdog. The useful lesson was not to copy their scope. gh-dep-risk should stay a reviewer-facing CLI layer:

  • Dependency Review API first
  • static local fallback only when Dependency Review is unavailable
  • no resolver pretending
  • no full transitive graph reconstruction where the tool cannot honestly do it
  • no web UI

That boundary is now much clearer in the docs.

Repository: https://github.com/rad1092/gh-dependency-risk
Release: https://github.com/rad1092/gh-dependency-risk/releases/tag/v0.2.1

Disclosure: this release included AI-assisted implementation, documentation, and validation work with Codex, with the final changes tested against real commands and live GitHub smoke repositories.

Top comments (0)