Sherlup, a tool to let LLMs check your dependencies before you upgrade (www.castignoli.it)

A new command-line tool named Sherlup has been introduced to address security risks in the Node.js ecosystem by utilizing large language models (LLMs) to check dependencies before upgrades. As the Node.js environment is heavily reliant on numerous interconnected packages, the potential for supply chain attacks, where malicious actors exploit vulnerable dependencies, is significant. Sherlup aims to make this process more secure by automatically analyzing code changes in dependencies, particularly those proposed in automated dependency upgrades through tools like Renovate. Sherlup stands out by focusing on the differences between dependency versions, allowing users to integrate any LLM of their choice for analysis, further enhancing security customization. Unlike existing tools like Socket.dev, which analyze complete package snapshots using proprietary AI pipelines, Sherlup provides an open-source option, promoting transparency and user control in detecting vulnerabilities. By facilitating machine-assisted reviews of dependency changes, Sherlup is poised to simplify the historically arduous task of security auditing, ultimately contributing to stronger software supply chain defenses in the AI/ML community.