How does Dependency Review highlight vulnerable or license-risky dependencies?

Dependency Review focuses on the changes introduced by a pull request to dependencies. When a PR adds or updates dependencies, it analyzes those specific changes, checks them against known security advisories and license risks, and surfaces a concise, actionable view in the PR. It flags the relevant dependencies in the PR diff and shows recommended upgrades or policy issues, giving reviewers clear guidance on what to fix before merging. This makes security and license concerns directly visible where decisions are being made. It’s more precise than just listing all dependencies in the project, and it doesn’t automatically remove vulnerable dependencies from the PR. It also doesn’t limit itself to license compatibility; it explicitly surfaces security and policy-related concerns tied to the updated or added dependencies.