AI-Powered Dependency Tracking for External Resources
Dependabit automatically discovers, tracks, and monitors external dependencies referenced in your codebase using LLM-powered analysis. Unlike traditional dependency managers that only track package manifests, Dependabit finds informational dependencies like GitHub repos, documentation sites, API references, research papers, and more.
⚠️ Pre-1.0 software — APIs are subject to change between minor versions. Pin to exact versions in production. See the CHANGELOG for breaking changes between releases.
📚 Documentation: https://pradeepmouli.github.io/dependabit/
- LLM Analysis: Uses GitHub Copilot (or other LLMs) to intelligently detect external dependencies
- Multi-Source Parsing: Extracts references from README files, code comments, and package manifests
- Smart Classification: Automatically categorizes dependencies (documentation, research papers, schemas, APIs, etc.)
- Confidence Scoring: Provides confidence levels for each detected dependency
- Push-Triggered Updates: Automatically updates manifest when code changes are pushed
- Selective Re-Analysis: Only analyzes changed files for efficiency
- Merge Strategies: Preserves manual edits while incorporating new discoveries
- Change Logging: Comprehensive logging of additions and removals
- Periodic Checks: Scheduled monitoring of external dependencies
- Issue Creation: Automatically creates GitHub issues for dependency changes
- Severity Classification: Breaking, major, or minor change detection
- Rate Limiting: Smart GitHub API usage with budget reservation
- Dependabot-Style Config: Familiar YAML configuration format
- Per-Dependency Rules: Customize monitoring frequency and behavior
- Multiple Auth Methods: Token, OAuth, and basic authentication support
- AI Agent Assignment: Automatically assign issues to AI agents based on severity
To publish the action to the GitHub Marketplace:
- Run the
Bundle Actionworkflow (or build locally) sopackages/action/action-distis committed. - Create a GitHub Release tag (for example,
v0.1.12). - In the Release UI, select Publish this Action to the GitHub Marketplace.
The action metadata in action.yml points to the bundled file, so Marketplace users get a self-contained action.
- Node.js >= 20.0.0
- pnpm >= 10.0.0
- GitHub repository with Actions enabled
- GitHub Copilot access (or alternative LLM provider)
Add Dependabit to your repository by creating workflow files:
Create .github/workflows/dependabit-generate.yml:
name: Generate Dependency Manifest
on:
workflow_dispatch: # Manual trigger for initial setup
permissions:
contents: write
issues: write
pull-requests: write
jobs:
generate:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Setup Node.js
uses: actions/setup-node@v4
with:
node-version: '20'
- name: Setup GitHub CLI (required for Copilot CLI)
run: |
# GitHub CLI is pre-installed on GitHub Actions runners
# Verify it's available and authenticated
gh --version
gh auth status
- name: Install dependencies and build action
run: |
corepack enable
pnpm install
pnpm build
- name: Generate manifest
id: generate
uses: ./packages/action # Use local action after building
with:
action: generate
repo_path: .
manifest_path: .dependabit/manifest.json
llm_provider: github-copilot
llm_api_key: ${{ secrets.GITHUB_TOKEN }}
- name: Commit manifest
run: |
git config user.name "dependabit[bot]"
git config user.email "dependabit[bot]@users.noreply.github.com"
git add .dependabit/
if git status --porcelain .dependabit/ | grep .; then
git commit -m "chore: initialize dependabit manifest"
git push
else
echo "No manifest changes to commit; skipping commit and push."
fiCreate .github/workflows/dependabit-update.yml:
name: Update Dependency Manifest
on:
push:
branches: [main, master]
paths:
- '**.md'
- '**.ts'
- '**.js'
- '**.py'
- 'package.json'
- 'requirements.txt'
permissions:
contents: write
issues: write
pull-requests: write
jobs:
update:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 10 # Fetch recent commits for analysis
- name: Setup Node.js
uses: actions/setup-node@v4
with:
node-version: '20'
- name: Setup GitHub CLI (required for Copilot CLI)
run: |
# GitHub CLI is pre-installed on GitHub Actions runners
# Verify it's available and authenticated
gh --version
gh auth status
- name: Install dependencies and build action
run: |
corepack enable
pnpm install
pnpm build
- name: Update manifest
id: update
uses: ./packages/action # Use local action after building
with:
action: update
repo_path: .
manifest_path: .dependabit/manifest.json
llm_provider: github-copilot
llm_api_key: ${{ secrets.GITHUB_TOKEN }}
- name: Commit changes
run: |
git config user.name "dependabit[bot]"
git config user.email "dependabit[bot]@users.noreply.github.com"
git add .dependabit/manifest.json
git diff --quiet && git diff --staged --quiet || \
git commit -m "chore(dependabit): update manifest"
git pushNote: The
checkGitHub Action workflow is not yet available. This section will be updated with a ready-to-use example once thecheckaction has been implemented.
Create .dependabit/config.yml to customize behavior:
version: "1"
# Global settings
schedule:
interval: daily
time: "02:00"
# Issue handling & AI agent assignment rules
issues:
aiAgentAssignment:
breaking: "@copilot"
major: "@claude"
minor: "@copilot"
# Per-dependency overrides
dependencies:
- url: "https://github.com/important/repo"
schedule:
interval: hourly
monitoring:
ignoreChanges: false
- url: "https://stable-docs.example.com"
schedule:
interval: weekly
monitoring:
ignoreChanges: falseThis is a monorepo using pnpm workspaces:
dependabit/
├── packages/
│ ├── action/ # GitHub Action entry points
│ ├── detector/ # LLM-based dependency detection
│ ├── manifest/ # Manifest schema and validation
│ ├── monitor/ # Change detection and monitoring
│ ├── github-client/ # GitHub API wrapper
│ ├── plugins/ # Extensible plugin system
│ ├── core/ # Shared utilities
│ └── utils/ # Common utility functions
├── specs/ # Feature specifications
├── docs/ # Documentation
├── .github/workflows/ # CI/CD workflows
├── e2e/ # E2E tests
└── test-fixtures/ # Test fixtures for E2E/integration tests
# Clone the repository
git clone https://github.com/pradeepmouli/dependabit.git
cd dependabit
# Install dependencies
pnpm install
pnpm run builddependabit/
├── packages/
│ ├── core/ # Core dependency tracking logic
│ ├── manifest/ # Manifest schema and validation
│ ├── github-client/ # GitHub API client
│ ├── plugins/ # Resource-specific plugins
│ │ ├── plugin-github/ # GitHub releases and files
│ │ ├── plugin-arxiv/ # ArXiv papers
│ │ ├── plugin-openapi/ # OpenAPI specifications
│ │ ├── plugin-http/ # Generic HTTP resources
│ │ └── plugin-context7/ # Context7 integration
│ └── utils/ # Shared utilities
├── docs/ # Documentation
├── specs/ # Feature specifications
└── .github/workflows/ # GitHub Actions workflows
- Setup Guide - Development environment setup
- Workspace Guide - Managing monorepo packages
- Development Workflow - Development process and best practices
- Testing Guide - Testing infrastructure and guidelines
- Examples - Usage examples and patterns
- Auto Update - Automatic update workflow
# Run all tests
pnpm test
# Run specific package tests
pnpm --filter @dependabit/detector test
# Watch mode
pnpm test:watch
# Coverage
pnpm test:coverage# Lint code
pnpm run lint
# Format code
pnpm run format
# Type check
pnpm run type-check# Build all packages
pnpm run build
# Build specific package
pnpm --filter @dependabit/action build
# Clean build artifacts
pnpm run clean-
Detector (
@dependabit/detector)- LLM provider abstraction
- Multi-source parsing (README, code, packages)
- Hybrid detection (programmatic + LLM fallback)
- Type classification and confidence scoring
-
Manifest (
@dependabit/manifest)- JSON schema with Zod validation
- CRUD operations with merge strategies
- Size checks and warnings
- Version control integration
-
Monitor (
@dependabit/monitor)- Periodic dependency checking
- Change detection and comparison
- Severity classification
- Content normalization
-
GitHub Client (
@dependabit/github-client)- Octokit wrapper with rate limiting
- Multiple authentication methods
- Issue creation and management
- False positive feedback tracking
-
Action (
@dependabit/action)- GitHub Actions integration
- Input/output handling
- Workflow orchestration
- Error handling and logging
Dependabit supports extensible plugins for different dependency types:
- github-api: GitHub repository releases
- http: Generic HTTP/HTTPS resources
- arxiv: Research papers from arXiv
- openapi: OpenAPI/Swagger specifications
- context7: Context7 API integration
Monitor external documentation sites referenced in your code comments and README files.
Track arXiv papers and academic publications that your research code depends on.
Monitor OpenAPI specifications and API documentation for breaking changes.
Keep track of example code repositories and reference implementations.
Discover dependencies not captured in package.json (CDN links, direct includes, etc.).
| Input | Description | Default |
|---|---|---|
action |
Action to perform: generate, update, check, validate | generate |
repo_path |
Path to repository root | . |
manifest_path |
Path to manifest file | .dependabit/manifest.json |
llm_provider |
LLM provider: github-copilot, claude, openai | github-copilot |
llm_model |
LLM model to use | Provider default |
llm_api_key |
API key for LLM provider | Uses GITHUB_TOKEN |
create_issues |
Create GitHub issues for changes | true |
debug |
Enable debug logging | false |
| Output | Description |
|---|---|
manifest_path |
Path to generated/updated manifest |
dependency_count |
Number of dependencies detected |
changes_detected |
Number of changes found (check action) |
issues_created |
Number of issues created |
- Manifest Generation: < 5 minutes for typical repositories
- Manifest Updates: < 2 minutes per commit
- Monitoring: < 10 minutes for 100 dependencies
- Detection Accuracy: > 90% for informational dependencies
- False Positive Rate: < 10%
Manifest not generated:
- Ensure GITHUB_TOKEN has sufficient permissions
- Check that LLM provider is accessible
- Verify repository has external references
Updates not triggering:
- Check workflow file paths filter
- Ensure push events are enabled
- Verify branch name matches trigger
Rate limit errors:
- Reduce check frequency in config
- Use fine-grained GitHub tokens
- Enable rate limit budget reservation
False positives:
- Label issues with
false-positivelabel - System learns from feedback over time
- Adjust confidence thresholds in config
See the existing documentation for more details.
-
Initial manifest generation (LLM-powered dependency discovery)
-
Automatic manifest updates on push
-
Complete plugin implementations (ArXiv, OpenAPI, Context7)
-
GitHub Action workflow templates
- LLM-powered dependency detection
- Multi-source parsing (README, code, packages)
- Generate action with workflow integration
- Auto-update on push
- Change monitoring with issue creation
- Manual manifest management
- Multiple authentication methods
- False positive tracking
- E2E test suite
- Complete plugin implementations (OpenAPI, Context7, arXiv)
- Comprehensive API documentation
- Performance optimization for large repos
- Additional LLM providers (OpenAI, Anthropic)
- Enhanced breaking change detection
- Dependency graph visualization
- Slack/Discord notifications
- Custom webhook support
We welcome contributions! Please see CONTRIBUTING.md for guidelines.
- Fork the repository
- Create a feature branch (
git checkout -b feature/amazing-feature) - Make your changes
- Add tests for new functionality
- Ensure all tests pass (
pnpm test) - Commit using conventional commits (
git commit -m 'feat: add amazing feature') - Push to your branch (
git push origin feature/amazing-feature) - Open a Pull Request
MIT License - see LICENSE for details.
For security issues, please see SECURITY.md.
- Issues: GitHub Issues
- Discussions: GitHub Discussions
- Documentation: docs/
- Built with TypeScript and GitHub Actions
- Powered by GitHub Copilot for LLM analysis
- Inspired by Dependabot for the configuration format
Author: Pradeep Mouli Created: January 29, 2026 Status: Early Access - v0.1.0
Made with ❤️ for developers who care about external dependencies
