Skip to content

Dependency Update Monitor

Example prompt: "Every Monday, check our GitHub repo for outdated dependencies. If any have known security vulnerabilities, create a GitHub issue with the details and tag it security."

How to automate dependency monitoring with GloriaMundo

The Problem

Software projects accumulate outdated dependencies quietly. A library that was current three months ago now has two minor versions and a security patch you have not applied. Most teams only discover this when something breaks, a security scanner flags it in a compliance review, or a developer happens to notice while working on an unrelated change. Manually checking for updates — running audit commands, cross-referencing CVE databases, evaluating which updates are safe to apply — takes significant time and requires knowledge of the project's dependency tree. The consequence is that security patches sit unapplied for weeks or months, and routine updates pile up into large, risky upgrades.

How GloriaMundo Solves It

We build a scheduled workflow that runs every Monday. An integration step checks your GitHub repository for the project's dependency manifest (package.json, requirements.txt, Gemfile, or equivalent). A web search step cross-references any outdated packages against public vulnerability databases and security advisories to identify which updates are routine and which address known security issues. An LLM step analyses the findings and produces a prioritised summary: critical security updates at the top, followed by major version bumps, and then minor or patch updates. A conditional step checks whether any security vulnerabilities were found. If so, an integration step creates a GitHub issue with the vulnerability details, affected package names, current and recommended versions, and a "security" label. If there are no security issues, a summary of routine updates is posted to Slack for the team's awareness. Glass Box preview shows you the full dependency analysis and any issues that would be created before they are filed.

Example Workflow Steps

  1. Trigger (scheduled): Runs every Monday at 9:00 AM.
  2. Step 1 (integration): Fetch the project's dependency manifest and lock file from the GitHub repository.
  3. Step 2 (web_search): Check for known security vulnerabilities and available updates for each dependency against public advisory databases.
  4. Step 3 (llm): Analyse the results and produce a prioritised summary — critical security patches, major updates, and routine bumps — with risk assessment and recommended actions.
  5. Step 4 (conditional): If security vulnerabilities are found, proceed to create a GitHub issue. Otherwise, post a summary to Slack.
  6. Step 5a (integration): Create a GitHub issue detailing each security vulnerability — affected package, current version, patched version, CVE identifier, and severity. Apply the "security" label.
  7. Step 5b (integration): If no security issues, post a summary of available routine updates to #engineering on Slack.

Integrations Used

  • GitHub — source of the dependency manifest and destination for security issue creation
  • Slack — receives a summary of routine updates when no security issues are found

Who This Is For

Engineering teams and DevOps leads who maintain production applications and need to stay ahead of security vulnerabilities without manually auditing dependencies every week. Especially useful for teams without dedicated security tooling or those managing multiple repositories where dependency drift is hard to track.

Time & Cost Saved

A manual dependency audit — checking for updates, researching security advisories, and filing issues — takes 1-3 hours per repository per week when done thoroughly. Most teams do it quarterly at best, which means security patches go unapplied for months. This workflow runs every Monday and ensures critical vulnerabilities are surfaced within days of disclosure, not weeks. Over a quarter, it replaces 12-36 hours of manual auditing per repository. More importantly, it closes the window between a vulnerability being published and your team knowing about it. The workflow uses integration, web search, LLM, and conditional steps, costing a few credits per weekly run.