Getting Started
What is DevUpdate.io?
DevUpdate.io is a dependency intelligence platform that analyzes library updates by examining actual code changes (git diffs), not just release notes. We catch undocumented breaking changes that standard changelog aggregators miss, giving you code-aware intelligence about your dependencies.
How is this different from Dependabot or Renovate?
Dependabot and Renovate create PRs to update dependencies, but they don't tell you what's actually in the update. We analyze the git diff between versions to detect undocumented breaking changes, function signature modifications, and behavioral changes that aren't mentioned in changelogs. Think of us as the intelligence layer that helps you decide whether to merge those PRs.
How do I get started?
Sign up for a free account, then add tracked sources you want to monitor by pasting their GitHub URLs. We'll automatically fetch their releases, analyze the code changes, and generate summaries with risk scores. You can also upload your lockfile to get alerts when dependencies in your actual project have risky updates.
Is there a free tier?
Yes! The free tier allows you to monitor up to 10 tracked sources and upload 1 lockfile. This is perfect for personal projects or evaluating the service.
Core Features
What is 'Diff-First Analysis'?
Diff-First Analysis is our core differentiator. Instead of just summarizing release notes, we fetch the actual git diff between release tags and analyze the code changes. This lets us detect things like function signature changes, removed exports, type modifications, and behavioral changes that maintainers often forget to document. We then compare what the changelog says versus what the code actually shows.
How do risk scores work?
Each release gets a 0-100 risk score based on multiple factors: code churn (lines changed), number of files modified, documented breaking changes, undocumented changes we detected in the diff, and security implications. Scores 70+ are considered high risk and warrant careful review before updating.
What are 'undocumented changes'?
These are modifications we detect in the code diff that aren't mentioned in the release notes. For example, if a changelog says 'minor bug fixes' but we see a function signature changed from (a, b) to (a, b, c), we flag that as an undocumented change. This is critical because these silent breaks often cause production issues.
What is lockfile monitoring?
You can upload your lockfile (package-lock.json, yarn.lock, go.sum, etc.) to establish a baseline of your exact dependency versions. Later, when you upload an updated lockfile, we compare the versions and generate alerts for any high-risk changes. We cross-reference these with our diff analysis to tell you things like 'React updated to 18.3.0 - HIGH RISK - contains undocumented useState behavior change.'
Which lockfiles support automatic source discovery?
All nine of the lockfile formats we support: Python (poetry.lock, Pipfile.lock, requirements.txt) via PyPI, JavaScript (package-lock.json, yarn.lock, pnpm-lock.yaml) via the npm registry, Rust (Cargo.lock) via crates.io, PHP (composer.lock) via Packagist, and Go (go.sum) via direct module-path resolution. We extract package names, look up each one in the matching registry, and add the resolved GitHub repositories as tracked sources automatically.
Supported Ecosystems
Which package ecosystems do you support?
For diff analysis: Any repository on GitHub with tagged releases. For lockfile monitoring: npm (package-lock.json), Yarn (yarn.lock), pnpm (pnpm-lock.yaml), Go (go.sum), Rust (Cargo.lock), Python (poetry.lock, Pipfile.lock), and PHP (composer.lock).
Do you support private repositories?
Currently we only support public GitHub repositories. Private repository support with OAuth integration is planned for a future release.
What if a repository doesn't use GitHub releases?
We require repositories to use GitHub's release/tag feature. If a project only has commits without tags, we can't currently analyze it. We recommend asking the maintainers to use releases, as it's a best practice for library versioning.
How It Works
How do you analyze git diffs?
When you add a tracked source, we fetch the latest releases using GitHub's API. For each release, we compare it to the previous release using GitHub's comparison API to get the full diff. We then feed this diff (along with the release notes) to our AI, which identifies breaking changes, function signature modifications, export changes, and other critical updates. The AI explicitly flags discrepancies between what the changelog says and what the code shows.
How often do you check for new releases?
We check tracked sources for new releases daily. You can also manually trigger a sync from the source detail page if you want immediate updates.
Do you use AI? How accurate is it?
Yes, we use OpenAI's models to analyze diffs and generate summaries. The AI is specifically prompted to identify breaking changes, undocumented modifications, and security implications. While no AI is perfect, we've designed our prompts to be conservative - if there's ambiguity, we flag it for your review rather than ignoring it.
What happens if GitHub rate limits you?
We implement graceful degradation. If we hit GitHub's API rate limit while fetching diffs, we fall back to analyzing just the release notes for that release and mark the diff_fetch_status as 'rate_limited'. You'll still get a summary, just without the diff-based insights for that specific release. We automatically retry when rate limits reset.
Usage & Value
Who is this for?
DevUpdate.io is designed for senior developers, tech leads, and engineering managers responsible for maintaining complex codebases. If you've ever been burned by a 'minor patch update' that broke production, or spent hours investigating why a dependency update caused subtle bugs, this tool is for you.
What problems does this solve?
We solve the 'silent break' problem - when library maintainers release updates with undocumented behavior changes. We also eliminate the noise of irrelevant changelog entries, helping you focus only on changes that could impact your codebase. Finally, we give you confidence to update dependencies by providing risk-based intelligence instead of forcing you to guess.
How does this improve my workflow?
Instead of reading through dozens of changelog entries and release notes, you get a risk-scored, categorized summary highlighting what actually matters. You can quickly see if a new release has breaking changes, security updates, or undocumented modifications. When combined with lockfile monitoring, you get proactive alerts about risky updates before they hit production.
Can I use this in CI/CD?
Currently, lockfile upload is manual via the web interface. In a future release, we're planning API endpoints for programmatic lockfile checking, which would enable CI/CD integration. You'd be able to upload your lockfile after dependency resolution and get immediate alerts about high-risk changes.
Ecosystem News & Security Context
What is the ecosystem news feature?
When we analyze a release, we also look at external security and ecosystem news published around the same time (for example, the recent LiteLLM credential leak). If a news item affects the same package, a package you depend on, or the broader ecosystem, we attach it to the release summary and call out the connection in a dedicated "Ecosystem News" section. This gives you the supply-chain context that release notes alone can't provide.
Where does the news come from?
Three sources: (1) GitHub Security Advisories — structured CVE/advisory data with package-version ranges, (2) OSV.dev — the open-source vulnerability database covering npm, PyPI, Go, Maven, crates, and RubyGems, and (3) a curated allow-list of security RSS feeds for narrative incidents that haven't landed as CVEs yet. RSS items are passed through an LLM classifier that extracts affected package names and severity before they're eligible to link to a release.
How does news affect release severity?
News items contribute up to 25 points to a release's 0–100 risk score, depending on how tightly they match. A direct critical match (a supply-chain compromise against the exact package) adds up to 25 points; a dependency-level critical match adds up to 10; ecosystem-wide critical news adds up to 5. The total score is still capped at 100.
How fresh is the news?
The scraper runs every 4 hours by default and indexes items from the last 14 days. When a release is processed, we only consider news published within ±14 days of the release date. Both the cadence and the lookback window are runtime-configurable without redeploying.
Why didn't a release I care about get flagged?
The most common reasons: (1) the news item names the package differently than we do (we canonicalize PyPI names but npm names must match exactly), (2) the item falls outside the 14-day window, (3) the RSS classifier couldn't extract a structured package name with high confidence, or (4) we don't have the package in our OSV probe list yet. Email info@devupdate.io if you spot a missed link and we'll add the mapping.
Is this the same as a CVE scanner or SCA tool?
No — and that's intentional. We don't scan your code, we contextualize releases. A CVE scanner tells you "version 1.4.2 is vulnerable"; we tell you "this release of the library was published 8 hours after an upstream dependency was compromised." Keep Dependabot or Snyk running for software-composition analysis; use us to decide whether a specific update is safe to merge right now.
Roadmap & Future Features
What's coming next?
We're working on two major features: (1) Full codebase scanning where you can link your project and we'll auto-detect all your dependencies (today's lockfile auto-discovery is the first step), and (2) GitHub App integration for automatic syncing and PR comments.
Will you support codebase analysis?
Yes! This is a major part of our roadmap. Instead of just monitoring libraries in general, we'll analyze your actual codebase to understand which specific functions and APIs you use. This way, we can tell you things like 'This update deprecates useState hook in React 18.3, which you use in 12 files.' This contextual intelligence is what transforms generic dependency monitoring into actionable project-specific insights.
Can I request support for a specific package ecosystem?
Absolutely! Email us at info@devupdate.io with your ecosystem request. We prioritize based on user demand.
Privacy & Security
What data do you store?
We store: your account information (email, username), URLs of the sources you track, the summaries we generate for each release, and parsed dependency data from lockfiles you upload. We do NOT store your actual source code or have access to your private repositories (unless you explicitly grant access via GitHub OAuth in a future release).
Do you share my data?
No. Your tracked sources and lockfile data are private to your account. The only exception is anonymized usage statistics for improving our service.
How do you handle lockfiles?
When you upload a lockfile, we parse it to extract package names and versions, then store this structured data in our database. We may optionally store the raw lockfile in S3 for audit purposes, but we never expose it to other users or third parties.
Billing & Support
How much does it cost?
We offer a free tier with up to 10 tracked sources. Paid plans with higher limits and advanced features will be announced soon. Early adopters get grandfathered pricing.
How do I get support?
For technical issues, email info@devupdate.io. For feature requests or general questions, you can also reach out on GitHub or Twitter/X.
Can I delete my account?
Yes, you can request account deletion from your settings page. We'll send a confirmation email, and once confirmed, we'll delete all your data including tracked sources and uploaded lockfiles.
Still have questions?
Can't find what you're looking for? Reach out to our support team.
info@devupdate.io