Skip to Content
SCA & DependenciesDependency Diff

Dependency Diff

The dependency diff view compares the two most recent SCA scans for a repository side by side, highlighting what changed in your dependency tree and the security implications of those changes.

Accessing the Diff

Navigate to SCA > Diff and select a repository. CodeStax automatically loads the latest two scans for comparison. The diff is organized into four categories.

Added Dependencies

Packages that appear in the newer scan but not in the previous one. These represent newly introduced dependencies, either added directly to your manifest or pulled in transitively.

Each added dependency shows:

  • Package name and version
  • License
  • Known vulnerabilities (if any exist at the time of the scan)

New dependencies with known critical or high vulnerabilities are flagged with a warning badge.

Removed Dependencies

Packages present in the older scan but absent from the newer one. These are dependencies that were dropped, either by removing them from your manifest or by switching to an alternative.

Removing a dependency that had known vulnerabilities is highlighted as a positive security improvement.

Updated Dependencies

Packages present in both scans but with a different version. The diff displays:

  • Package name
  • Previous version and new version
  • Whether the update is a major, minor, or patch change
  • Vulnerabilities resolved by the upgrade
  • Vulnerabilities introduced by the upgrade (if any)

Version upgrades that resolve vulnerabilities are marked with a green checkmark. Upgrades that introduce new vulnerabilities are flagged with a warning.

Vulnerability Impact Summary

At the top of the diff page, a summary panel shows:

  • Vulnerabilities resolved — CVEs that were present in the old scan and no longer appear.
  • New vulnerabilities — CVEs that appear for the first time in the new scan.
  • Net change — The overall increase or decrease in vulnerability count.

This gives a quick read on whether the dependency changes improved or worsened your security posture.

When to Use Diff

  • After dependency upgrades — Verify that an upgrade resolved the intended vulnerabilities without introducing new ones.
  • Before releases — Compare the release branch scan against the previous release to understand what changed.
  • During code review — Reference the diff when reviewing pull requests that modify package.json, requirements.txt, or other manifest files.
  • After automated dependency updates — Validate changes made by tools like Dependabot or Renovate.

Exporting the Diff

Click Export to download the diff as a JSON file. The export includes the full list of added, removed, and updated dependencies along with their vulnerability details. This is useful for attaching to change management tickets or sharing with stakeholders.

Reachability AnalysisCross-Repo Analytics