Automated Dependency Trust Reports on Every PR

Every dependency change in a pull request is a security decision. But most teams review dependency bumps by glancing at the diff in package.json or requirements.txt and clicking merge. There is no context about whether that new package is maintained, has known vulnerabilities, or even has a license. I built a GitHub App that fixes this. Every time a PR touches a dependency file, it posts a trust report as a comment with scores, grades, and recommendations for every added or changed package. The Problem Your CI pipeline checks if the code compiles and if tests pass. It does not tell you that the new ai-agent-helper package you just added has a trust score of 23/100, no commits in 14 months, and two unpatched CVEs. That context matters more than whether the tests are green. How It Works The Nerq GitHub App watches for pull requests that modify dependency files: package.json / package-lock.json (npm) requirements.txt / pyproject.toml / Pipfile (Python) go.mod (Go) Cargo.toml (Rust) pom.xm