lab Python CLI DevOps Static Analysis Security CI/CD Rich
Upgrade Impact Analyzer
π¦ Upgrade Impact Analyzer
Intelligent dependency upgrade risk analysis with AI-powered insights
Unlike traditional dependency checkers that just report version changes, Upgrade Impact Analyzer measures risk based on your actual code usage. It combines static code analysis, changelog intelligence, and semantic versioning to give you actionable insights.
π― Key Features
| Feature | Description |
|---|---|
| Usage-Centric Scoring | Risk scored by actual code usage, not just version numbers |
| AI-Powered Analysis | LLM changelog summarization (OpenAI/Anthropic) |
| Conflict Detection | Detect incompatible upgrades before they break your code |
| Security Scanning | CVE detection via pip-audit and OSV.dev |
| Health Scoring | A-F grades based on maintenance, popularity, quality |
| SBOM Generation | CycloneDX 1.5 and SPDX 2.3 formats |
| License Auditing | Compliance checking with deny lists |
| Monorepo Support | Analyze multiple projects with shared deps |
| Custom Policies | Define risk thresholds per package |
| Multi-Format Output | Terminal, JSON, SARIF, JUnit XML, Markdown |
| CI/CD Integration | GitHub Actions, pre-commit hooks |
π₯ Installation
# Basic installation
pip install upgrade-impact-analyzer
# With security scanning support
pip install upgrade-impact-analyzer[security]
# With all optional features
pip install upgrade-impact-analyzer[all]Available on PyPI
π Quick Start
# Analyze your project (auto-detects files)
upgrade-analyzer analyze
# Check for conflicts before upgrading
upgrade-analyzer conflicts
# With security scanning
upgrade-analyzer analyze --security
# Generate SBOM
upgrade-analyzer sbom --output sbom.json
# Health scoring
upgrade-analyzer health
# AI-powered analysis (requires OPENAI_API_KEY)
upgrade-analyzer ai-analyze --package requests --from 2.28.0 --to 2.31.0π‘ Advanced Usage
π Conflict Detection
Detect incompatible dependencies before upgrading (Forward, Reverse, and Cross-upgrade conflicts).
upgrade-analyzer conflicts # Check all upgrades
upgrade-analyzer conflicts --output conflicts.md # Save reportπ€ AI-Powered Analysis
Get human-readable summaries of breaking changes using LLMs.
# Requires OPENAI_API_KEY or ANTHROPIC_API_KEY
export OPENAI_API_KEY="sk-..."
upgrade-analyzer ai-analyze \
--package requests \
--from 2.28.0 \
--to 2.31.0π Health Scoring & Licensing
# Show A-F grades for your dependencies
upgrade-analyzer health
# Audit licenses (pass --deny AGPL-3.0 to fail on specific licenses)
upgrade-analyzer licensesπ’ Monorepo & Policies
# Analyze monorepo
upgrade-analyzer monorepo --root /path/to/monorepo
# Initialize custom policies
upgrade-analyzer init-policiesπ Example Output
Terminal Output
π¦ Dependency Upgrade Analysis
ββββββββββββββ³ββββββββββ³βββββββββ³βββββββββββββ³βββββββββββ³βββββββββ
β Package β Current β Target β Risk Score β Severity β Issues β
β‘βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ©
β requests β 2.28.0 β 3.0.0 β 85.0 β π΄ high β 3 β
β flask β 2.0.0 β 3.0.0 β 45.0 β π‘ mediumβ 1 β
β pytest β 7.0.0 β 8.0.0 β 12.0 β π’ low β 0 β
ββββββββββββββ΄ββββββββββ΄βββββββββ΄βββββββββββββ΄βββββββββββ΄βββββββββRisk Breakdown
π¦ requests: 2.28.0 β 3.0.0
ββ Risk Assessment βββββββββββββββββββββββββββββ
β π΄ HIGH β
β Risk Score: 85.0/100 β
ββββββββββββββββββββββββββββββββββββββββββββββββ
Risk Factors:
β’ SemVer Distance: [ββββββββββββββββββββ] 80.0 (weight: 30%)
β’ Usage Impact: [ββββββββββββββββββββ] 100.0 (weight: 50%)
3 API changes affecting 5 usage points
β’ Changelog Severity: [ββββββββββββββββββββ] 40.0 (weight: 20%)
β οΈ Breaking Changes:
β’ requests.get
Function 'requests.get' signature changed
Affects 2 usage(s) across 1 file(s)π§ CI/CD Integration
GitHub Actions
jobs:
analyze:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Install analyzer
run: pip install upgrade-impact-analyzer
- name: Run analysis
run: upgrade-analyzer analyze --format sarif --output results.sarif
- uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: results.sarifποΈ Architecture
upgrade_analyzer/
βββ analyzer.py # Main orchestrator
βββ cli.py # Typer CLI commands
βββ conflict_detector.py # Dependency conflict detection
βββ health.py # Health scoring (A-F)
βββ sbom.py # SBOM & license auditing
βββ intelligence/ # Risk analysis
β βββ api_differ.py # API diffing (griffe)
β βββ risk_scorer.py # Risk calculation
β βββ security.py # CVE detection
β βββ llm_analyzer.py # AI analysis
βββ scanner/ # Code analysis
βββ ast_analyzer.py # AST-based usage detectionπ License
MIT License - see LICENSE for details.