UpgradeRiskAnalyzer 1.0.5
dotnet tool install --global UpgradeRiskAnalyzer --version 1.0.5
dotnet new tool-manifest
dotnet tool install --local UpgradeRiskAnalyzer --version 1.0.5
#tool dotnet:?package=UpgradeRiskAnalyzer&version=1.0.5
nuke :add-package UpgradeRiskAnalyzer --version 1.0.5
📦 Package Upgrade Risk Analyzer
Software upgrades often carry uncertainty—new versions shouldn't break customer experiences, yet hidden risks make teams hesitate. Upgrade Risk Analyzer eliminates that guesswork. It discovers the correct repository, interprets documentation, and mines release notes, changelogs, and GitHub issues to pinpoint the risks that matter most when moving between versions.
How This Helps
🔍 Pinpointing Real Risks: Automatically discovers the right repository, interprets documentation, and mines release notes, changelogs, and GitHub issues to highlight what really matters between versions.
💡 Actionable Insights: Each finding comes with severity, confidence, and traceable sources—delivered as a clear summary.
⚙️ Less Manual Work: Say goodbye to endless research and surprise rollbacks. Full visibility into potential breakpoints before you hit "release."
Installation
Install as a global .NET tool:
dotnet tool install -g UpgradeRiskAnalyzer
Update to the latest version:
dotnet tool update -g UpgradeRiskAnalyzer
For local development, see docs/local-development.md
Configuration
VS Code with GitHub Copilot
Add to .vscode/mcp.json (workspace) or ~/.vscode/mcp.json (global):
{
"servers": {
"upgrade-risk-analyzer": {
"type": "stdio",
"command": "upgrade-risk-analyzer"
}
}
}
Claude Desktop
Add to %APPDATA%\Claude\claude_desktop_config.json (Windows) or ~/Library/Application Support/Claude/claude_desktop_config.json (macOS):
{
"mcpServers": {
"upgrade-risk-analyzer": {
"command": "upgrade-risk-analyzer"
}
}
}
Usage
Once configured, ask your AI assistant to analyze upgrade risks:
Basic:
"Analyze the risks of upgrading react from 17.0.0 to 18.0.0"
With usage context (recommended):
"Analyze the risks of upgrading django from 3.2 to 4.0. We use Django's ORM extensively with custom managers and signals."
For runtimes (Node.js, .NET, Python):
"Analyze the risks of upgrading Node.js from 20.0.0 to 22.0.0 using githubRepo nodejs/node"
Available Tools
analyze_package_upgrade_risks
| Parameter | Required | Description |
|---|---|---|
packageName |
✅ | Package name (e.g., "react", "django") |
currentVersion |
✅ | Your current version |
targetVersion |
✅ | Version to upgrade to |
numIssuesToDetect |
❌ | Max risks to report (default: 10) |
packageSource |
❌ | Registry: "npm", "pypi", or "nuget" (default: "npm") |
githubRepo |
❌ | GitHub repo (e.g., "nodejs/node") for runtimes |
analyze_package_upgrade_risks_with_usage_context
Same as above, plus:
| Parameter | Required | Description |
|---|---|---|
howPackageIsUsed |
✅ | How you use this package in your project |
Environment Variables
| Variable | Default | Description |
|---|---|---|
GITHUB_TOKEN |
- | GitHub token (skips OAuth). Also accepts GITHUB_PAT |
PACKAGE_UPGRADE_RISK_MAX_GITHUB_ISSUES |
100 |
Max GitHub issues to fetch |
PACKAGE_UPGRADE_RISK_PARALLEL_SAMPLING |
5 |
Initial LLM concurrency |
UPGRADE_RISK_ANALYZER_TELEMETRY_OPTOUT |
false |
Set to true to disable telemetry |
Telemetry
By default, the Upgrade Risk Analyzer collects anonymous usage telemetry via Application Insights to help improve the tool. The following data is captured:
- Package name, current/target version, and package source
- Whether a custom GitHub repo was provided
- Analysis duration, success/failure status
- Counts of releases, issues, and risks found
No code, file content, usage descriptions, or personally identifiable information is collected.
To disable telemetry, set the environment variable:
export UPGRADE_RISK_ANALYZER_TELEMETRY_OPTOUT=true
GitHub Authentication
On first use, the server prompts for GitHub Device Flow OAuth:
- A code and URL are displayed
- Visit the URL and enter the code
- Token is cached in Windows Credential Manager
The token is requested with no OAuth scopes, which grants read-only access to public information only — no access to private repos and no write permissions.
Set GITHUB_TOKEN to skip the OAuth flow.
Sample Output
## Poetry Upgrade Analysis: 1.8.5 → 2.0.0
**Risk Level:** 🔴 HIGH RISK
### Critical Issues
| Issue | Severity | Description |
|-------|----------|-------------|
| `--no-dev` flag removed | ⚠️ CRITICAL | Replace with `--without dev` |
| `poetry export` requires plugin | ⚠️ CRITICAL | Install via `poetry self add poetry-plugin-export` |
| Python 3.8 dropped | 🔶 HIGH | Poetry 2.0.0 requires Python 3.9+ |
### Migration Steps
1. Update Python constraint to `^3.9`
2. Install export plugin: `poetry self add poetry-plugin-export`
3. Replace `--no-dev` with `--without dev`
License
MIT License - See LICENSE for details.
Contributing
Contributions welcome! Please submit a Pull Request.
| Product | Versions Compatible and additional computed target framework versions. |
|---|---|
| .NET | net8.0 is compatible. net8.0-android was computed. net8.0-browser was computed. net8.0-ios was computed. net8.0-maccatalyst was computed. net8.0-macos was computed. net8.0-tvos was computed. net8.0-windows was computed. net9.0 was computed. net9.0-android was computed. net9.0-browser was computed. net9.0-ios was computed. net9.0-maccatalyst was computed. net9.0-macos was computed. net9.0-tvos was computed. net9.0-windows was computed. net10.0 was computed. net10.0-android was computed. net10.0-browser was computed. net10.0-ios was computed. net10.0-maccatalyst was computed. net10.0-macos was computed. net10.0-tvos was computed. net10.0-windows was computed. |
This package has no dependencies.