Browse all docs

Adding a source

The UI walkthrough: what URLs we accept, how the parser is detected, and what to expect after the first sync.

Sources are added from the dashboard's Sources tab. Click Add source, paste a URL, and submit. Most of the time that's the entire workflow.

What URLs we accept #

  • GitHub repository: https://github.com/<owner>/<repo>. Public repos with tagged releases work out of the box. We identify a repo by its stable GitHub id, not its name, so a link to a renamed or transferred repo (e.g. an old org/repo that now redirects elsewhere) resolves to the live repo and is tracked once under its current name, so you won't end up with a duplicate source. Private repos require both a GitHub OAuth connection on your account (so we can verify, against your own GitHub permissions, that you actually have access to the repo) and the DevUpdate.io GitHub App installed on the repository or its owning organisation (so we can read it on a schedule). Connect GitHub from Settings → GitHub connection, then make sure the App is installed. See Access requirements for who needs to do what. We never reveal a private repo to a user who doesn't already have access on github.com. Tip: repos you've granted the App are listed in the Repositories with access panel on the Lockfiles tab, where you can scan any of them for lockfiles in one click.
  • VS Code / Open VSX extension: a Marketplace URL (https://marketplace.visualstudio.com/items?itemName=<publisher>.<extension>) or an Open VSX URL (https://open-vsx.org/extension/<namespace>/<name>). Both have stable parsers. See Adding a VS Code extension below.
  • Vendor release-notes page: anything with a stable parser. See the catalog for the current list.
  • Anything else: routed through the AI fallback parser. Works reasonably well for well-formatted single-page changelogs; struggles with paginated or JS-rendered pages.

Adding a VS Code extension #

Editor extensions are an active supply-chain target, so tracking the ones your team relies on is worth doing: both the Marketplace and Open VSX have stable parsers.

  1. Open the extension's page on the VS Code Marketplace, or on Open VSX if you use VSCodium, Gitpod, or Theia.
  2. Copy the page URL from your browser; it looks like https://marketplace.visualstudio.com/items?itemName=ms-python.python.
  3. In the dashboard Sources tab, click Add source, paste the URL, and submit. The VS Code chip under the field prefills the …itemName= prefix if you'd rather type the publisher and extension name in yourself.

A green stable parser badge confirms it routes to the Marketplace (or Open VSX) adapter. We then track the extension's published version history, one release per version, each version's changelog as the release notes. There's no repo or diff analysis, so risk scores on these releases are informational. The source catalog has the parser details.

What the form tells you #

When you paste a URL, the modal shows which parser will handle it and its stability tier before you confirm. A green badge means a stable parser; an amber notice means the URL routes to the best-effort AI fallback (expected for sources outside the catalog).

Because the AI fallback is best-effort and its first sync counts toward your plan's fair-use allowance, adding one is an explicit opt-in: tick the acknowledgement checkbox in the amber notice to enable Add source. Stable-parser sources have no such step.

If you'd rather we built a deterministic parser for the URL, use the Request a deterministic tracker button in the same notice. See requesting a tracker below.

When generic tracking is off

Some environments disable best-effort AI tracking entirely. When that's the case the modal won't offer Add source for an unsupported URL at all, only the Request a deterministic tracker flow. New AI-parsed sources are declined, and any existing ones stop syncing until it's re-enabled. Deterministic (stable-parser) sources are unaffected.

What happens on the first sync #

We immediately fetch the most recent few releases (the cap is intentionally small to keep the initial AI cost predictable) and queue diff analysis on each. The first summary usually appears within a minute or two; the rest trickle in over the next several minutes.

The scheduled poll picks up new releases from there: about hourly while the source is active, easing off to at most once a day when it goes quiet.

For sources that route to the AI fallback (no stable parser), that first sync runs an AI extraction of the page plus the initial release summaries. If you're the first user to track such a source, that one-time work counts toward your fair-use allowance, so once this period's allowance is exhausted, adding it is deferred until you top up. Sources with a stable parser, and sources someone else already tracks, are unaffected.

Requesting a deterministic tracker

For sources you'd rather track deterministically (no AI, no per-poll cost, and reliable extraction), ask us to build a stable parser instead of using the AI fallback. In the Add source modal, when a URL routes to the best-effort tier, click Request a deterministic tracker, optionally add the product name and a link to an example release, and submit. We log every request so we can prioritize by real demand, and follow up by email. Full details and the email fallback are in Reference → Parser stability.

After the source is added #

  • The source appears under the Sources tab with its parser badge, release count, and last-sync timestamp.
  • Clicking through opens the source detail page with the release list and per-release summaries.
  • A manual sync button is available if you want to pull in something just-published without waiting for the next scheduled poll.

Common gotchas #

  • The repo has no tagged releases. We rely on tags. If the repo only has commits on main, we have nothing to extract. Ask the maintainer to cut tags, or watch the source via lockfiles instead.
  • The page requires JavaScript. We fetch raw HTML, no headless browser. If the changelog only renders client-side, the AI fallback won't see it.
  • Hitting the source limit. Hobbyist tier is 1,000 sources; deactivating unused sources frees slots without losing history.

Frequently asked questions #

How do I find the source URL for a package? #

The fastest route is to skip manual URL hunting and use the Lockfiles workflow instead: upload your lockfile (poetry.lock, package-lock.json, yarn.lock, and so on) from the Lockfiles tab and we automatically discover the source URLs and start tracking your dependencies, much quicker than adding sources one at a time. To add a package manually, look it up on its registry (PyPI.org for Python, npmjs.com for JavaScript) and use the Source / Repository link in the project details.

What happens if a package doesn't have a GitHub repository? #

Some packages live elsewhere (GitLab, Bitbucket, Heptapod, Launchpad, or an internal repo) or simply don't publish their source repository to the registry. When lockfile discovery can't find a GitHub URL we show which packages couldn't be discovered, and when we recognise the host we name it (for example "Links to Heptapod, not GitHub") so you can tell an unsupported host apart from a just-missing link. If a GitHub mirror exists, you can add its source manually later.

PreviousOverviewNext Parser types