AI-powered dependency security & compatibility analyzer Analyze upgrades, detect breaking changes, check CVEs, and generate rich Markdown reports.
- SemVer classification β AUTO detects MAJOR / MINOR / PATCH / pre-release upgrades
- Release notes fetching β PyPI, GitHub Releases, npm registry, CHANGELOG.md scraping
- LLM reasoning β Pluggable local (Ollama, LM Studio, llama.cpp) or cloud (Claude API) backends
- CVE checking β OSV.dev + NVD + GitHub Advisory Database
- Rich Markdown reports β CVE tables, before/after code examples, migration guides
- CLI mode β Analyze a
.txtfile of upgrades - GitHub PR mode β Parse PR diffs and auto-detect dependency changes
- Webhook mode β Flask server for GitHub Actions integration
git clone https://github.com/your-org/depguard
cd depguard
pip install -r requirements.txtEdit config.yaml to choose your LLM backend:
llm:
provider: ollama # ollama | lmstudio | llamacpp | claude
ollama:
model: mistral # or llama3, codellama, deepseek-coderollama pull mistral
ollama serve# From a text file
python main.py analyze tests/fixtures/sample_deps.diff
# From a GitHub PR URL
python main.py pr https://github.com/owner/repo/pull/123
# From a PR number
python main.py pr 123 --repo owner/repoCreate a .txt file with one upgrade per line:
# package_name old_version new_version
requests 2.28.0 2.31.0
flask 2.3.0 3.0.0
django 3.2.0 4.2.0
pydantic 1.10.0 2.0.0
python main.py analyze my_upgrades.txt --verbose# Using full URL
python main.py pr https://github.com/owner/repo/pull/456
# Using PR number + repo
python main.py pr 456 --repo owner/repoSet GITHUB_TOKEN for higher rate limits and GitHub Advisory access:
export GITHUB_TOKEN=ghp_xxxxConfigure in config.yaml β llm.provider:
| Provider | Config Key | Notes |
|---|---|---|
| Ollama (recommended) | ollama |
Free, local, run ollama serve |
| LM Studio | lmstudio |
OpenAI-compat on port 1234 |
| llama.cpp server | llamacpp |
OpenAI-compat on port 8080 |
| Claude API | claude |
Cloud, requires ANTHROPIC_API_KEY |
python main.py analyze deps.txt --provider claude
python main.py analyze deps.txt --provider lmstudioollama pull mistral # General purpose, fast
ollama pull llama3 # Strong reasoning
ollama pull codellama # Code-focused
ollama pull deepseek-coder # Excellent for code analysis| Source | Key Required | Notes |
|---|---|---|
| OSV.dev | No | Primary, always queried |
| GitHub Advisory DB | GITHUB_TOKEN |
GraphQL API |
| NVD (NIST) | Optional NVD_API_KEY |
Auto-queried with key |
export GITHUB_TOKEN=ghp_xxxx
export NVD_API_KEY=xxxx-xxxx # Optional, increases NVD rate limitReports are saved to ./reports/ as Markdown:
## π¦ `requests`: 2.28.0 β 2.31.0
### π·οΈ Update Type
π’ PATCH β Patch version bump (0 β 31) β bug/security fix, likely safe
### π Release Notes Summary
_(Source: github_releases)_
### π Change Analysis
**Breaking Changes:** No β
**Reasoning:** This is a patch release focusing on security fixes...
### π§ Migration Guide
No code changes required for this patch upgrade...
### π‘οΈ Security & CVE Analysis
| CVE ID | Severity | CVSS | Status | Description |
|--------|----------|------|--------|-------------|
| CVE-2023-32681 | π‘ MEDIUM | 6.1 | β
Fixed in new version | Requests forwards... |
### β
Recommendation: **UPGRADE**
Safe patch upgrade with security fix. Recommend immediate upgrade.export GITHUB_TOKEN=ghp_xxxx
export WEBHOOK_SECRET=your_secret
python main.py webhook --port 5000# .github/workflows/depguard.yml
name: DepGuard Dependency Check
on:
pull_request:
paths:
- 'requirements*.txt'
- 'pyproject.toml'
- 'package.json'
jobs:
depguard:
runs-on: ubuntu-latest
steps:
- name: Notify DepGuard
run: |
curl -X POST https://your-server.com/webhook \
-H "X-GitHub-Event: pull_request" \
-H "X-Hub-Signature-256: sha256=${{ secrets.WEBHOOK_SECRET }}" \
-d '{"action":"opened","pull_request":{"number":${{ github.event.pull_request.number }}},"repository":{"full_name":"${{ github.repository }}"}}'depguard/
βββ main.py # CLI entrypoint (Click)
βββ config.yaml # All configuration
βββ requirements.txt
βββ README.md
β
βββ core/
β βββ parser.py # Parse txt files and GitHub PR diffs
β βββ semver_classifier.py # SemVer classification
β βββ release_fetcher.py # PyPI / GitHub / npm / CHANGELOG
β βββ cve_checker.py # OSV + NVD + GitHub Advisory
β βββ report_generator.py # Markdown report builder
β βββ pipeline.py # Orchestrates the full pipeline
β
βββ llm/
β βββ __init__.py # Provider factory
β βββ base.py # BaseLLMProvider + prompt engineering
β βββ ollama_provider.py # Ollama integration
β βββ lmstudio_provider.py # LM Studio / llama.cpp
β βββ claude_provider.py # Anthropic Claude API
β
βββ github/
β βββ pr_parser.py # GitHub PR diff extraction
β βββ webhook_handler.py # Flask webhook server
β
βββ tests/
βββ test_parser.py
βββ test_cve_checker.py
βββ fixtures/
βββ sample_deps.txt
pip install pytest
pytest tests/ -v| Variable | Required | Description |
|---|---|---|
GITHUB_TOKEN |
Optional | GitHub API token (higher rate limits + Advisory DB) |
ANTHROPIC_API_KEY |
If using Claude | Anthropic API key |
NVD_API_KEY |
Optional | NVD API key (higher rate limits) |
WEBHOOK_SECRET |
If using webhook | GitHub webhook HMAC secret |
Usage: python main.py [COMMAND] [OPTIONS]
Commands:
analyze Analyze dependency upgrades from a TXT file
pr Analyze dependency changes in a GitHub Pull Request
webhook Start the GitHub Actions webhook server
Options for 'analyze':
-c, --config PATH Path to config.yaml [default: config.yaml]
-o, --output PATH Output Markdown report path
-v, --verbose Show detailed per-step output
-p, --provider TEXT Override LLM provider
Options for 'pr':
-r, --repo TEXT GitHub repo (owner/name)
-c, --config PATH Path to config.yaml
-o, --output PATH Output Markdown report path
-v, --verbose Show detailed per-step output
-p, --provider TEXT Override LLM provider
MIT