Everything you need to know about DevUpdate.io's code intelligence platform for developers
DevUpdate.io is a code intelligence platform for developer updates and dependency management. We analyze every library update by examining actual code changes (git diffs), not just release notes. Our code intelligence catches undocumented breaking changes that standard changelog aggregators miss, giving you deep insights about how each library update affects your dependencies.
Dependabot and Renovate create PRs to update dependencies, but they don't tell you what's actually in the update. We analyze the git diff between versions to detect undocumented breaking changes, function signature modifications, and behavioral changes that aren't mentioned in changelogs. Think of us as the intelligence layer that helps you decide whether to merge those PRs.
Sign up for a free account, then add repositories you want to monitor by pasting their GitHub URLs. We'll automatically fetch their releases, analyze the code changes, and generate summaries with risk scores. You can also upload your lockfile to get alerts when dependencies in your actual project have risky updates.
Yes! The free tier allows you to monitor up to 10 repositories. This is perfect for personal projects or evaluating the service.
The easiest way is to use our Lockfiles feature instead! Upload your lockfile (poetry.lock, package-lock.json, yarn.lock, etc.) from the Lockfiles tab in your dashboard, and we'll automatically discover repository URLs and track all your project dependencies. This is much faster than manually adding repositories one by one. If you prefer manual addition, you can search for packages on package registries (PyPI.org for Python, npmjs.com for JavaScript) and look for the 'Source' or 'Repository' link in the project details.
Currently, automatic repository discovery via PyPI is available for Python lockfiles only: poetry.lock, Pipfile.lock, and requirements.txt. We extract package names, query PyPI for metadata, and find their GitHub repositories automatically. For other ecosystems (npm, Cargo, Go, PHP), you'll need to add repositories manually using their GitHub URLs. We're planning to add npm and other registries in future updates.
Some packages are hosted elsewhere (GitLab, Bitbucket, internal repos) or don't publish their source repository to PyPI. When we can't find a GitHub URL, we'll show you which packages couldn't be discovered in the results summary. You can manually add their repositories later if they have GitHub mirrors or you find the URLs through other means.
Free tier users can select up to 10 packages from their lockfile to discover and watch repositories. Professional and Team tier users have unlimited repository discovery. The selection UI will show your available slots and prevent exceeding your limit.
Diff-First Analysis is our core differentiator. Instead of just summarizing release notes, we fetch the actual git diff between release tags and analyze the code changes. This lets us detect things like function signature changes, removed exports, type modifications, and behavioral changes that maintainers often forget to document. We then compare what the changelog says versus what the code actually shows.
Each release gets a 0-100 risk score based on multiple factors: code churn (lines changed), number of files modified, documented breaking changes, undocumented changes we detected in the diff, and security implications. Scores 70+ are considered high risk and warrant careful review before updating.
These are modifications we detect in the code diff that aren't mentioned in the release notes. For example, if a changelog says 'minor bug fixes' but we see a function signature changed from (a, b) to (a, b, c), we flag that as an undocumented change. This is critical because these silent breaks often cause production issues.
You can upload your lockfile (package-lock.json, yarn.lock, go.sum, etc.) to establish a baseline of your exact dependency versions. Later, when you upload an updated lockfile, we compare the versions and generate alerts for any high-risk changes. We cross-reference these with our diff analysis to tell you things like 'React updated to 18.3.0 - HIGH RISK - contains undocumented useState behavior change.'
For diff analysis: Any repository on GitHub with tagged releases. For lockfile monitoring: npm (package-lock.json), Yarn (yarn.lock), pnpm (pnpm-lock.yaml), Go (go.sum), Rust (Cargo.lock), Python (poetry.lock, Pipfile.lock), and PHP (composer.lock).
Currently we only support public GitHub repositories. Private repository support with OAuth integration is planned for a future release.
We require repositories to use GitHub's release/tag feature. If a project only has commits without tags, we can't currently analyze it. We recommend asking the maintainers to use releases, as it's a best practice for library versioning.
When you add a repository, we fetch the latest releases using GitHub's API. For each release, we compare it to the previous release using GitHub's comparison API to get the full diff. We then feed this diff (along with the release notes) to our AI, which identifies breaking changes, function signature modifications, export changes, and other critical updates. The AI explicitly flags discrepancies between what the changelog says and what the code shows.
We check monitored repositories for new releases on an hourly basis. You can also manually trigger a sync from the repository detail page if you want immediate updates.
Yes, we use OpenAI's models to analyze diffs and generate summaries. The AI is specifically prompted to identify breaking changes, undocumented modifications, and security implications. While no AI is perfect, we've designed our prompts to be conservative - if there's ambiguity, we flag it for your review rather than ignoring it.
We implement graceful degradation. If we hit GitHub's API rate limit while fetching diffs, we fall back to analyzing just the release notes for that release and mark the diff_fetch_status as 'rate_limited'. You'll still get a summary, just without the diff-based insights for that specific release. We automatically retry when rate limits reset.
DevUpdate.io is designed for senior developers, tech leads, and engineering managers responsible for maintaining complex codebases. If you've ever been burned by a 'minor patch update' that broke production, or spent hours investigating why a dependency update caused subtle bugs, this tool is for you.
We solve the 'silent break' problem - when library maintainers release updates with undocumented behavior changes. We also eliminate the noise of irrelevant changelog entries, helping you focus only on changes that could impact your codebase. Finally, we give you confidence to update dependencies by providing risk-based intelligence instead of forcing you to guess.
Instead of reading through dozens of changelog entries and release notes, you get a risk-scored, categorized summary highlighting what actually matters. You can quickly see if a new release has breaking changes, security updates, or undocumented modifications. When combined with lockfile monitoring, you get proactive alerts about risky updates before they hit production.
Currently, lockfile upload is manual via the web interface. In a future release, we're planning API endpoints for programmatic lockfile checking, which would enable CI/CD integration. You'd be able to upload your lockfile after dependency resolution and get immediate alerts about high-risk changes.
We're working on three major features: (1) Smart lockfile auto-detection that automatically watches all dependencies when you upload a lockfile, (2) Full codebase scanning where you can link your project and we'll auto-detect all your dependencies, and (3) GitHub App integration for automatic syncing and PR comments.
Yes! This is a major part of our roadmap. Instead of just monitoring libraries in general, we'll analyze your actual codebase to understand which specific functions and APIs you use. This way, we can tell you things like 'This update deprecates useState hook in React 18.3, which you use in 12 files.' This contextual intelligence is what transforms generic dependency monitoring into actionable project-specific insights.
Absolutely! Email us at info@devupdate.io with your ecosystem request. We prioritize based on user demand.
We store: your account information (email, username), URLs of repositories you watch, repository summaries we generate, and parsed dependency data from lockfiles you upload. We do NOT store your actual source code or have access to your private repositories (unless you explicitly grant access via GitHub OAuth in a future release).
No. Your watched repositories and lockfile data are private to your account. The only exception is anonymized usage statistics for improving our service.
When you upload a lockfile, we parse it to extract package names and versions, then store this structured data in our database. We may optionally store the raw lockfile in S3 for audit purposes, but we never expose it to other users or third parties.
We offer a free tier with up to 10 repositories. Paid plans with higher limits and advanced features will be announced soon. Early adopters get grandfathered pricing.
We offer a 14-day refund window for initial subscription purchases. If you're not satisfied with your subscription within 14 days of your first payment, you can request a full refund directly from your account settings page - just click the 'Request Refund & Cancel' button. Alternatively, you can contact Paddle (our payment processor) or email info@devupdate.io. This refund period applies only to your initial purchase - renewal payments are non-refundable. We encourage everyone to try our free tier first to ensure the service meets your needs before upgrading.
For technical issues, email info@devupdate.io. For feature requests or general questions, you can also reach out on GitHub or Twitter/X.
Yes, you can request account deletion from your settings page. We'll send a confirmation email, and once confirmed, we'll delete all your data including watched repositories and uploaded lockfiles.
Can't find what you're looking for? Reach out to our support team.
info@devupdate.io