Live lockfile connection

A live lockfile connection links a monitored lockfile to a GitHub repository so DevUpdate.io fetches that lockfile's contents on a schedule and recomputes its available upgrades for you. Instead of re-uploading a file every time your dependency tree changes, the connection keeps your monitoring current automatically.

Prerequisite: connect GitHub #

Live lockfile connections — public and private — require a GitHub OAuth connection on your account. We use your own OAuth token to verify that the repository you're connecting to is one you actually have access to on github.com, so DevUpdate.io can never read a repo you don't already have access to. Connect it from Settings → GitHub connection if you haven't yet.

If you skip this step, attempting to connect a repository will redirect you back to Settings with a prompt to connect GitHub first.

Repositories with access #

The Lockfiles tab shows a Repositories with access panel listing every repository you've granted the DevUpdate.io GitHub App — exactly the repos you picked at install time, nothing more. Each row has a Scan for lockfiles button that opens the connect dialog already pointed at that repo and immediately scans it, so you never have to paste a URL for a repo you've already connected.

The same list also powers a Your repositories picker at the top of the connect dialog: start typing to filter, pick a repo, and we fill in the URL (and scan, on the Scan tab) for you. You can still paste any repository URL by hand for a public repo you haven't installed the App on.

To change which repositories the App can see, use Manage repository access (in the panel header and next to the picker). It opens GitHub's App installation settings, where granting or removing repo access is GitHub's decision, not ours — the panel reflects whatever you set there on its next refresh.

Three ways to find your lockfile #

When you click Connect GitHub Repo, the dialog offers three picker modes — pick whichever fits the situation. Repository URL and branch are shared across all three.

• Scan (recommended) — type the repository URL, click Scan, and we walk the whole repo and list every supported lockfile we find. Tick the ones you want; you can pick more than one and we'll create a separate monitored lockfile for each in a single submit. Best for monorepos with multiple lockfiles or when you don't remember the exact path.
• Browse — desktop-style folder navigator. Expand directories to drill into the repo and tick the lockfile(s) you want. Useful as a fallback when Scan can't reach into a very large repo (we'll tell you when that's the case), or when you'd rather pick visually.
• Manual — type the lockfile path yourself (for example package-lock.json or backend/go.sum). Best when you already know the exact path or you're rebinding an existing connection.

Multi-select #

In Scan and Browse you can tick several lockfiles at once. We create one monitored lockfile per selected path; each is named after its in-repo path (for example frontend / yarn.lock) and can be renamed, auto-sync-toggled, or disconnected independently.

No duplicates #

Each repository file is tracked once. If a scan turns up a lockfile you already connected, it appears as Already tracked and can't be re-selected, and connecting the same repo file again is skipped rather than creating a second copy. This holds across Scan, Browse, and Manual, so connecting a repo and later scanning it can't leave you with duplicate cards for the same file.

Manual uploads are adopted, not duplicated #

If you uploaded a lockfile by hand first and later connect the repository it came from, we recognize the match — the same content, or a manual lockfile of the same type whose packages mostly overlap the repo file's — and upgrade your existing manual lockfile to a live connection in place instead of creating a second record. Everything attached to it carries over: your name for it, the packages you selected for monitoring, their watched sources, and any dismissed upgrades. There's nothing to clean up afterwards; the connect dialog tells you when a selection was matched to an existing manual lockfile this way.

Connecting a public repository #

1. From the dashboard, open the Lockfiles tab.
2. Choose to connect a repository instead of uploading a file.
3. Enter the repository (<owner>/<repo>) and pick lockfiles using Scan, Browse, or Manual as described above.

DevUpdate.io verifies your access with your GitHub OAuth token, then fetches each selected lockfile and starts monitoring it.

Connecting a private repository #

Two layers protect private content:

• Your OAuth token gates access. When you click connect, we call GitHub as you. If GitHub itself doesn't grant you access to the repo, the connection is rejected — no shared backend token can override this.
• Our GitHub App handles the recurring fetch. Install the DevUpdate.io GitHub App on the repository (or grant the existing installation access to it) so we can keep fetching the lockfile on the scheduled cadence below. The App has read-only access scoped to the repositories you select; the access decision is still gated by your user-level permission, never just the App's.

Access requirements #

For a successful private-repo connection — or a successful re-sync of an already-connected one — both of the following must hold at the time of the request:

1. You have repo access on github.com. That means one of:
   • You're a collaborator on the repository, or
   • You're a member of an organisation team that has read (or higher) access to the repository. If neither is true, GitHub itself denies our read call on your behalf and DevUpdate.io shows a "no access to owner/repo" dialog — there's no setting on our side that can unblock it.
2. The DevUpdate.io GitHub App is installed on the repository. For personal repos, you install it yourself. For org-owned repos, an org owner installs it (or extends an existing install to include the repo). The App can be uninstalled at any time from github.com → Settings → Applications on a personal account, or the equivalent Organization settings → GitHub Apps page for orgs.

If access is later revoked (you leave the org, or the App is uninstalled) the next scheduled sync fails closed with the same dialog, and the lockfile's connection is paused until access is restored.

Jumping to the source on GitHub #

Open a connected lockfile's detail view and you'll find a View on GitHub button next to Update. It deep-links straight to the tracked file on its branch (or the repository root if no specific file path was recorded), so checking the real lockfile on github.com is always one click away. Manual uploads have no repository to point at, so the button only appears on live connections.

Polling cadence #

Connected lockfiles are fetched hourly. (Release polling for tracked sources uses an adaptive cadence — hourly while a source is active, easing off to at most daily when it's quiet — but lockfile fetches stay on a fixed hourly schedule.) Each fetch recomputes the lockfile's available upgrades the same way a manual re-upload does: upgrades the sync shows you've taken auto-resolve and drop off, and any newly-available ones appear. When an unattended sync turns up newly-detected high-risk upgrades, we email you a heads-up about those upgrades (not about raw version "changes").

What we store #

We store only the parsed dependency data — a map of package names to versions. We do not persist the raw lockfile bytes or any other contents of your repository; the file is parsed and discarded after each fetch. See Account → Privacy for the full data-handling breakdown.

Plans and limits #

Automatic syncing is available on all plans — Hobbyist, Professional, and Team. A connected lockfile counts against your normal lockfile limit (1 on Hobbyist, unlimited on Professional and Team), the same as an uploaded file. See Billing → Plans.

Disconnecting and revoking access #

You can disconnect a live lockfile connection from the Lockfiles tab at any time, which stops the scheduled fetches. To fully revoke our access:

• Uninstall the DevUpdate.io GitHub App, or remove the repository from the App's access list, in your GitHub repository / organisation settings.
• Revoke the DevUpdate.io OAuth grant from github.com → Settings → Applications. This takes effect on our next call without any action on our side — the next sync attempt will fail closed and the connection will be paused.

What's next #

• Uploading a lockfile: the manual upload flow.
• Available upgrades: how upgrades are surfaced, how risk is aggregated, and the auto-resolve / dismiss lifecycle.