DepBrief is a tool I built to make dependency updates less of a guessing game. Instead of "bump package X from 1.2 to 1.3" with no context, it tells you which files in your repo are affected, whether any breaking changes hit your specific usage, and what the real risk level is.
The full vision involves a GitHub App that automatically opens DepBrief-style PRs. But you don't need that to get started. Here's how to use it right now, with just a GitHub token.
Install
npm install -g depbriefAuthenticate
DepBrief needs a GitHub token to fetch release notes and upstream changes. The easiest way:
depbrief loginIt'll prompt for a Personal Access Token (PAT). You can create one at github.com/settings/tokens — the repo and read:packages scopes are enough.
If you'd rather not store credentials locally, you can set GITHUB_TOKEN in your environment and DepBrief will pick it up.
Scan a project
cd ~/my-project
depbrief scan .This outputs a JSON FactSet — everything DepBrief found: outdated packages, their versions, which files import them, upstream release notes, AI-generated change summaries, and a risk level per package.
For a human-readable version:
depbrief report .This outputs a Markdown report you can paste into a PR or an issue.
Generate a PR description
depbrief pr .This generates a full PR title and body covering every outdated dependency: summary, security fixes (if any), breaking changes mapped to your files, and an impact analysis table. All facts are verified against your actual codebase before emission.
Check what changed since last commit
depbrief diff .Shows a table of packages that changed between HEAD and HEAD~1 — useful for reviewing what an automated bump PR actually did.
Run a health check
depbrief doctorChecks that your environment is configured correctly: credentials, API access, Anthropic key (optional for AI summarization), and local Ollama fallback.
What it does under the hood
The pipeline has five layers:
- Dependency parser — reads
package.jsonand lockfile, gets exact installed versions - Version checker — queries npm registry, identifies outdated packages and CVEs
- Upstream fetcher — pulls release notes from GitHub for the version range you're updating across
- AI summarizer — uses Claude (or Ollama locally) to extract structured facts: breaking changes, deprecations, security fixes, risk level
- Impact scanner — finds every file in your repo that imports the package, maps breaking changes to specific files and line numbers
The key constraint: the AI is only allowed to summarize what's in the release notes. It can't invent breaking changes or file paths. Every factual claim in the output is sourced.
Skip AI for a fast scan
If you just want a quick version check without waiting on AI:
depbrief scan . --skip-aiThis runs layers 1–2 and the impact scanner, skipping the upstream fetch and AI summarization. Useful for daily checks where you only care about what's new.
What's next
I'm working on the GitHub App so DepBrief can open PRs automatically on your repos. If you want early access when that's ready, join the waitlist.
In the meantime — try it on a real project and let me know what's missing. I'm actively building this and the feedback loop matters.