LLMs hallucinate dependency names — and attackers pre-register them with payloads. depfirewall fails the PR when a dependency exists on no registry, or ships known CVEs. One workflow file. No config. Your code never leaves GitHub.
on: [pull_request] permissions: { contents: read, pull-requests: write } jobs: depfirewall: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - uses: alwaysreadyallies/depfirewall@v1
| dependency | verdict | why |
|---|---|---|
| reqests-toolbelt@1.0 | UNKNOWN | exists on no registry — hallucinated, or slopsquat bait |
| requests@2.5.0 | VULNERABLE | 6 advisories, worst CVE-2018-18074 · CVSS 7.5 |
| numpy@2.5.1 | SAFE | no known issues |
Dependabot and npm audit scan packages that exist for bugs that are known.
A package that exists nowhere sails straight through them. That's the gap this closes.
The dep-set is diffed against the PR base — requirements.txt, pyproject.toml, package.json. Added or version-changed deps get checked; the other 400 lines don't get re-litigated.
Each dep is looked up on deps.dev. A 404 is confirmed against the native registry (PyPI, npm, crates.io, Go proxy) — only a package that exists nowhere fails.
Known advisories, deduped per CVE, scored by max CVSS. Set a severity floor (7.0 = high/critical only) or fail on any advisory.
One PR comment, updated in place on every push, plus a checkable JSON certificate — the audit trail that your AI-written code was verified before merge.
Public repositories run the full gate free, forever. Private repositories need a license key.