Alerts
What triggers a lockfile alert, what the severity levels mean, and how to act on them.
A lockfile alert fires when a tracked source publishes a release that
matters for your dependency snapshot. The alert ties the upstream change
back to the version you're actually pinned to — so the heads-up is "your
react@18.2.0 has a high-risk update available," not just "react updated."
What triggers an alert #
- A new release is published for a source that's referenced in one of your uploaded lockfiles.
- The release's risk score crosses your configured threshold (default: 70+ / "high").
- The release contains breaking changes or undocumented changes that the diff analysis flagged.
You'll see the alert on the pulse feed and, if you have digests configured, in the next scheduled email.
Severity levels #
| Level | Score band | Typical cause |
|---|---|---|
| Low | 0–39 | Patch releases, docs-only changes, dependency bumps. |
| Medium | 40–69 | Feature additions, refactors, behavior tweaks worth knowing about. |
| High | 70–100 | Documented breaking changes, undocumented signature changes, security implications. |
The default alert threshold is High. You can lower it from Settings → Digests if you want a tighter notification cadence.
Acting on an alert #
Click through to the source's release detail to see the full summary, the diff, and the specific signals that drove the score (see Risk scoring for the breakdown). Decide whether to update, pin around the change, or wait for a follow-up patch.
If you decide it's safe and update your lockfile locally, re-upload the new version to clear the alert and re-baseline.