What You Get
For every patch that suggests a version bump, ZeroPath:- Locates the call sites in your repository that use the package
- Classifies each one as safe, needs-review, or breaking
- Surfaces the riskiest sites first in the patch view
Reading the Labels
safe
safe
ZeroPath found no evidence the upgrade changes how this call resolves — the symbol is used the same way and its signature is unchanged across versions. Note that behavior-only changes (same signature, different runtime semantics) aren’t detectable from signature inspection and may still be labelled safe.
needs-review
needs-review
The upgrade might affect this call, but ZeroPath could not confirm one way or the other. Common triggers: the symbol moved between files, the relevant file is large, or the signature is generic enough that direct inspection is inconclusive. Each needs-review label comes with a short reason explaining what couldn’t be confirmed.
breaking
breaking
Strong evidence this call is likely to break in the new version — for example, ZeroPath found the symbol removed, or its new signature incompatible with the arguments here. This is a code-compatibility signal, not a security assessment. Surfaced first in the patch view so reviewers can address it up front.
needs-review when evidence is ambiguous, favoring inspection over a missed change.
Supported Package Managers
npm
PyPI
Go modules
Maven Central
crates.io (Cargo)
RubyGems
Packagist / Composer
What to Keep in Mind
Blast radius works by examining the package source between two versions and matching it against your call sites. For most upgrades this is enough to act on directly. A handful of patterns are harder to detect from source inspection — knowing them helps you interpret the report:- Aliased imports — call-site discovery searches for the package name, so usages reached only through a renamed local binding can be undercounted.
- Dynamic dispatch — runtime reflection (
getattrin Python, reflection in Java, interface/reflect-based dispatch in Go), generated exports, or other indirect access patterns are not visible to static call-site detection. - Behavior-only changes — a function with the same signature in both versions but different runtime semantics (e.g. a stricter input validator, a different default) will not be flagged as breaking from signature inspection alone.
- Re-exports through nested packages — call sites that hit a re-exported symbol may map to a different file in the new version than blast radius examined directly.
- Version mismatch — blast radius analyzes the exact from/to versions in the proposed upgrade. If your environment ultimately installs a different version (version ranges, transitive constraints), the report may not reflect what you actually ship.
Blast radius is AI-derived analysis. For high-risk upgrades — security-sensitive packages, production-critical paths — combine the blast radius output with your standard review workflow.