Pulse feed
The dashboard's activity stream: what shows up, what each row means, and how to triage it.
The pulse feed is the dashboard tab you'll spend the most time in once your sources are configured. It shows five kinds of activity, in this order:
- New releases for sources you track.
- Stale-source notices when a source hasn't published a release in a long time and may be unmaintained.
- Lockfile upgrades: a per-lockfile rollup of the available upgrades across your monitored dependencies, with drill-down to the per-dependency detail.
- News & discussions: highly-engaged open GitHub issues on the repos you watch. These surface ongoing problems before they make it into a release or formal advisory.
- Security advisories for packages you depend on that have no fix release yet, e.g. a compromised package. They clear automatically when a release fixes them, or you can dismiss one once you've handled it.
What each row tells you #
| Row type | Key fields |
|---|---|
| Security advisory | Affected package, severity, why there's no fix yet, link to the advisory. |
| New release | Source, version tag, release date, risk score, one-line summary. |
| Lockfile upgrades | Per-lockfile counts (upgradeable / major / security / high-risk / not-monitored) and where the lockfile lives (its repo and path for GitHub-connected lockfiles), with drill-down to per-dependency pinned → latest rows. |
| Stale source | Source, last release date, suggested action (deactivate or keep). |
| News & discussions | Source, issue title, reactions/comments, heat score, link to the issue. |
News & discussions #
We pull external context for the packages you track and surface it in two places. On a release summary we attach security and ecosystem news published around the same time, so you see the supply-chain context release notes alone can't provide (for example, the LiteLLM credential leak). Here on the Pulse dashboard, the News & discussions section surfaces highly-engaged open GitHub issues on the repos you watch, so you can spot ongoing problems before they ship in a release or formal advisory.
The News & discussions section ranks open issues by heat: reactions weighted 3×, plus comments, decayed about 7%/day. An issue with five fresh reactions outranks a month-old issue with twenty. We only surface issues with momentum, so a quiet bug report won't clutter the feed.
Each row links to the issue on GitHub. Dismissing one removes it from your feed; we don't currently support a "past" view for discussions: the goal is to spot brewing problems, not maintain an archive.
The feature ships for GitHub-typed sources today. HackerNews stories, project blog/changelog feeds, and broader web mentions are planned.
Click any row to open the detail page: full summary, diff highlights, and the specific signals that drove the score.
Active vs. past advisories #
The security-advisories section has an Active / Past toggle. Active lists advisories with no fix release yet. An advisory leaves the active list two ways:
- A release patches it. The advisory becomes resolved and links to the release that fixed it, which also appears under New releases.
- You dismiss it.
Switch to Past to review resolved and dismissed advisories. Resolved rows carry a "Fixed in" link to the release; dismissed rows can be restored back to the active list.
Triage workflow #
- Scan the high-severity rows first. The pulse feed is sorted by recency, but the High band (70+) is the right place to spend your attention. Each release row's risk score is a colour-coded badge (coral for High, amber for Medium, teal for Low) so the band is visible at a glance without reading the number.
- For each High row, decide: update, pin around, or wait for a follow-up.
- Mark resolved rows by clicking through and acknowledging; they drop off the active feed but stay in the source's history.
Realtime updates #
The feed updates as new analysis completes; no need to refresh. New rows animate in and the unread indicator updates as they land.
Frequently asked questions #
Where does the news come from? #
Four sources today: (1) GitHub Security Advisories, structured CVE/advisory data with package-version ranges; (2) OSV.dev, the open-source vulnerability database covering npm, PyPI, Go, Maven, crates, and RubyGems; (3) a curated allow-list of security RSS feeds for narrative incidents that haven't landed as CVEs yet, passed through an LLM classifier that extracts affected packages and severity; and (4) GitHub Issues on each tracked repo, ranked by reactions and comments. HackerNews search, per-source blog/changelog feeds, and broader web mentions are on the roadmap.
Do you track VS Code extension supply-chain attacks? #
Yes, VS Code and Open VSX extensions are a first-class ecosystem. Advisories affecting a compromised editor extension are surfaced under a dedicated "vscode" ecosystem tag. GitHub Security Advisories file these under their npm ecosystem, so we re-tag known extensions back to vscode, and the LLM classifier labels narrative coverage of marketplace compromises the same way. You can also track a specific extension as a source by pasting its Marketplace or Open VSX URL.
How does news affect release severity? #
News items contribute up to 25 points to a release's 0–100 risk score depending on how tightly they match: a direct critical match (a supply-chain compromise against the exact package) adds up to 25, a dependency-level critical match up to 10, and ecosystem-wide critical news up to 5. The total is still capped at 100.
How fresh is the news? #
The scraper runs every 4 hours by default and indexes items from the last 14 days. When a release is processed we only consider news published within ±14 days of the release date. Both the cadence and the lookback window are runtime-configurable without redeploying.
Why didn't a release I care about get flagged? #
The most common reasons: (1) the news item names the package differently than we do (we canonicalize PyPI names, but npm names must match exactly); (2) the item falls outside the 14-day window; (3) the RSS classifier couldn't extract a structured package name with high confidence; or (4) the package isn't in our OSV probe list yet. Email info@devupdate.io if you spot a missed link and we'll add the mapping.