LLM Dependency Bot
Version updated for https://github.com/SeanZoR/llm-dependency-bot to version v1.2.0.
- This action is used across all versions by 1 repositories.
Go to the GitHub Marketplace to find the latest changes.
Release notes
๐ Phase 2 Complete: Real Tool Functionality
This release transforms the bot from using placeholder tools to real API integrations! Claude can now fetch actual release notes and check real vulnerability databases.
โจ What’s New
๐ Real npm Registry Integration
Fetches actual package metadata from https://registry.npmjs.org
What you get:
- Package descriptions
- Repository URLs
- Links to GitHub for release notes
Example:
**Description:** Promise based HTTP client for the browser and node.js
**GitHub Release Notes:** [actual changelog from GitHub]
๐ Real PyPI Integration
Fetches Python package information from https://pypi.org
What you get:
- Package descriptions
- Detailed changelogs
- Project metadata
๐ก๏ธ Real CVE/Vulnerability Checking
Queries OSV (Open Source Vulnerabilities) database at https://api.osv.dev
What you get:
- Real CVE IDs (CVE-2024-XXXX)
- Severity scores (CVSS ratings)
- Vulnerability summaries
- Support for npm, PyPI, Go, Rust, and more
Example:
โ ๏ธ Found 2 vulnerabilities for lodash 4.17.20:
- **CVE-2021-23337** (CVSS 7.5): Command injection via template
- **GHSA-35jh-r3h4-6jhm** (HIGH): Prototype pollution vulnerability
๐ GitHub Releases API
Fetches actual release notes from GitHub repositories
Features:
- Handles both
v1.0.0and1.0.0tag formats - Extracts release body (changelog)
- Shows what changed in each version
๐ฏ Before & After
Before (v1.1.0)
Release notes for axios 1.6.1 would be fetched from package registry
(npm, PyPI, etc.) in production implementation.
After (v1.2.0)
**Description:** Promise based HTTP client for the browser and node.js
**GitHub Release Notes:**
### What's Changed
* Fix: Memory leak in request interceptors
* Docs: Update TypeScript examples
**Full Changelog**: https://github.com/axios/axios/compare/v1.6.0...v1.6.1
๐ Evidence in PR Comments
The Evidence & Analysis section now shows real data:
Tools Used:
- โ Fetch Release Notes
- โ Check CVE Database
Key Findings:
- โ No known vulnerabilities in new version
- ๐ Release notes show bug fixes only
- โ ๏ธ Breaking changes detected in changelog
- ๐ Security patches included
Metrics:
- Dependency:
axios - Files Changed: 2
- CI Status: success
๐ง Technical Details
APIs Integrated
| API | Purpose | Endpoint |
|---|---|---|
| npm Registry | JavaScript packages | registry.npmjs.org |
| PyPI JSON API | Python packages | pypi.org/pypi |
| GitHub Releases | Release notes | api.github.com/repos |
| OSV Database | Vulnerabilities | api.osv.dev/v1/query |
Error Handling
- โ 10-second timeout on all API calls
- โ Graceful fallback when data unavailable
- โ Output length limits (800-1000 chars)
- โ No new dependencies required
Security
- Uses existing GitHub token for GitHub API
- No additional API keys needed
- Proper error handling throughout
- Bandit security checks passing
๐ Impact
Better Decisions
Claude can now make evidence-based decisions using:
- Actual package descriptions
- Real changelogs
- Concrete CVE data
- Severity scores
More Trust
Users see real evidence that Claude used:
- “Release notes show backwards compatible changes”
- “CVE-2024-1234 fixed in this version”
- “No known vulnerabilities found”
Wider Support
Works with multiple ecosystems:
- โ JavaScript (npm)
- โ Python (PyPI)
- โ Go (OSV)
- โ Rust (OSV)
- โ Any package with GitHub releases
๐ Usage
No changes needed! Just use the latest version:
- uses: SeanZoR/llm-dependency-bot@v1 # Always latest
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
anthropic-api-key: ${{ secrets.ANTHROPIC_API_KEY }}
Or pin to specific version:
- uses: SeanZoR/llm-dependency-bot@v1.2.0
๐งช Testing
pytest -v
# Result: โ
19 passed in 1.60s
All existing tests pass with real tool implementations.
๐ Example Decision Flow
When analyzing axios 1.6.0 โ 1.6.1:
- Fetch release notes from npm registry
- Check CVE database for vulnerabilities
- Get GitHub release for detailed changelog
- Analyze all evidence
- Decide based on real data
- Show evidence in PR comment
Result: More accurate, trustworthy decisions! ๐ฏ
๐ Links
- Pull Request: #2
- Full Changelog: https://github.com/SeanZoR/llm-dependency-bot/compare/v1.1.0...v1.2.0
- npm Registry Docs: https://github.com/npm/registry/blob/main/docs/REGISTRY-API.md
- OSV Documentation: https://osv.dev/docs/
๐ Credits
Built with:
- Claude 3.5 Sonnet - AI reasoning engine
- OSV - Open Source Vulnerabilities database
- npm Registry - JavaScript packages
- PyPI - Python packages
๐ค Generated with Claude Code
Co-Authored-By: Claude noreply@anthropic.com