Sources
What a source is, what we do with it, and how to keep the list manageable.
A source is the unit you track. In practice that almost always means a GitHub repository, but it can also be any release-notes page that has a stable parser. One source produces a stream of releases, and each release goes through diff analysis and gets a risk score.
The lifecycle of a source #
- Add. You paste a URL, we record it, and queue an initial sync.
- Backfill. We fetch the most recent few releases (the cap is small by default to keep AI cost predictable) and run them through diff analysis.
- Poll. Every hour we check the source for new releases. New releases are summarized and risk-scored automatically.
- Alert. If you have a lockfile that references this source, a high-risk update fires an alert and shows up in the pulse feed.
You can manually trigger a sync from any source's detail page if you want to pull in something just-published without waiting for the next hourly poll.
Source URL shapes we accept #
- GitHub repository:
https://github.com/<owner>/<repo>— we use the repo's tagged releases. - Static release-notes page for vendors with a stable parser, e.g. Google Ads. See the parser catalog for the current list.
- Anything else: we route it through the AI fallback parser. This works well for well-structured changelog pages and poorly for paginated or JS-rendered pages — see Parser types for the trade-offs.
Limits #
The Hobbyist tier caps you at 10 sources; paid tiers are unlimited. If you're hitting the cap, the Lockfiles workflow is usually the right answer — track what's actually in your dependency tree, not every library you've ever used.
Removing or pausing a source #
Sources can be deactivated (we stop polling but keep the history) or deleted entirely. Both live on the source detail page. Deactivating a source frees up a slot on the Hobbyist tier without losing the analysis history.