Each software project is facing an unavoidable belief challenge. Over time, dependencies become endless, leading to security weaknesses. Others are not available, no need to flow in times of construction. For many developing teams, responding to these issues means running the manual scripts, reviewing output files, and hopeless to fall into the cracks.
I recently transformed this error-prone manual process into an automated solution using a few tools on GitHub-GitHub Copilot, GitHub Actions, and Dependable, to be specific (just in case you’re wondering). Here’s how you can do the same!
So, let’s jump (and make sure to look at the video over!).
The problem with manual dependency audits
Most teams start with a simple manner of trust management. It usually includes a bash script running from time to time. Here’s what our manual script looks like:
#!/bin/bash
echo "Starting manual dependency audit..."
# List all dependencies
echo "Installed dependencies:"
npm list --depth=0 > deps.txt
cat deps.txt
# Check for outdated ones
echo -e "\nChecking outdated dependencies..."
npm outdated > outdated.txt
cat outdated.txt
# Guess at unused ones (very crude)
echo -e "\nLooking for potentially unused dependencies..."
for dep in $(npm list --depth=0 | grep '├──' | cut -d' ' -f2 | cut -d@ -f1); do
if ! find . -type f -name "*.js" -o -name "*.tsx" -o -name "*.ts" | xargs grep -l "$dep" > /dev/null 2>&1; then
echo "$dep might be unused"
fi
done
echo "Done! Check deps.txt and outdated.txt manually. Phew that was a lot of work!"
This method has many limits, including:
- Manual, so there is a need to remember to run it (and be honest, I will always forget to run on my own cenebases).
- The unused trust check is crude, and often inaccurate.
- Outcomes scattered as many output files.
- It is not integrated with workflows or CI / CD pipelines.
Must have a better way than this right?
How to Simply Trust Audits in GitHub
Lucky with, in fact, a better solution than the manual bash script if you work in GitHub-and it starts using a AI tool, our Automation and CI / CI / CI / CI / CI / CI / CD TOOWAL. GitHub actions, and dependal, our automatic confidence content.
Here’s a step-step move you can use to make it.
Step 1: Use GitHub Copilot to make the action
Agent mode takes Github Copilot from suggesting the ownership code of tasksLike changing our glass script to a github action of flowing gitters.
Our Phrus is here:
“Create an action github for confidence to the deprivation of posting and posting posting. And a separate dependhot workflow for managing endless dependencies.”
Remember our original bash script? With a quick, I share the context (package.json and our manual script) and asks it to make an action using the dependency checker tool Depcheck For more accurate motivation of unused dependences.
Step 2: GitHub Copilot wrote the action github
To implement this action GitHub, GitHub Copilot creates new workflow file to .github/workflows/dependency-audit.yml. Here is the workflow file copilot helped make:
name: Dependency Audit
on:
schedule:
- cron: '0 0 * * 1' # Run weekly on Mondays
workflow_dispatch: # Allow manual triggering
jobs:
audit:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Set up Node.js
uses: actions/setup-node@v4
with:
node-version: '18'
- name: Install dependencies
run: npm ci
- name: Install depcheck
run: npm install -g depcheck
- name: Run depcheck for unused dependencies
run: depcheck --json > unused-deps.json
- name: Run npm audit
run: npm audit --json > security-audit.json
- name: Generate report
run: |
echo "# Dependency Audit Report $(date)" > report.md
echo "## Unused Dependencies" >> report.md
cat unused-deps.json | jq -r '.dependencies()' >> report.md
echo "## Security Issues" >> report.md
cat security-audit.json | jq '.metadata.vulnerabilities' >> report.md
- name: Create issue if problems found
uses: peter-evans/create-issue-from-file@v4
if: ${{ success() }}
with:
title: Weekly Dependency Audit
content-filepath: ./report.md
labels: maintenance, dependencies
Step 3: Enable dependab
While our usual action focuses on the search of unused dependencies, we can use Sergabot automatically to make sparkle requests for unemployed packages. Delepaboot can be configured at least one simple name of YAML or automatically by turning away from your repository settings. Here is the Yamitl file Copilot’s actions:
# .github/dependabot.yml
version: 2
updates:
- package-ecosystem: "npm"
directory: "/"
schedule:
interval: "weekly"
open-pull-requests-limit: 10
The result: a fully automated authentication audit
With that, our trust in trust is now perfectly automated. Let’s turn how it works:
- Our usual action uses demcheck to accurately identify unused dependencies.
- Dependability creates pull requests for unused packages, complete with Changelogs and risk assessments.
- Security vulnerabilities are found and reported per week.
- Everything is written on GitHub issues for the team’s sight.
This method cannot only save time but also reduces security hazards and performance issues that are from the bad management of dependencies.
By combining AI capabilities in GitHub Copilot with actions of GitHub and Dependable, we have made a tedoon manual task in an automated solution to our cenebase. And I will take the storage times to make something more interesting, like unrelling the mystery of the weird TV shows divisions. Or who knows, maybe I’ll finally figure out what it means to refine macrodata on that show (anyone has any idea yet?
Try Github Copilot free and activate Dependab
Learn more about Github copilot for business or start your free attempt at Github enterprise today.
Written to
https://github.blog/wp-content/uploads/2025/03/manual-dependency-auditing.png
2025-03-05 21:03:00
