Skip to main content

Documentation Index

Fetch the complete documentation index at: https://zeropath.com/docs/llms.txt

Use this file to discover all available pages before exploring further.

When ZeroPath proposes a dependency upgrade, blast radius shows you exactly which call sites in your codebase are affected and how risky each one is — so you can ship the upgrade faster, with confidence.

What You Get

For every patch that suggests a version bump, ZeroPath:
  • Locates the call sites in your repository that use the package
  • Classifies each one as safe, needs-review, or breaking
  • Surfaces the riskiest sites first in the patch view
What used to require reading the package changelog, scanning your codebase, and guessing at runtime behavior now arrives pre-analyzed in the patch view. Reviewers focus on the calls that actually matter, skip the rest, and merge upgrades with the same confidence they have when reviewing internal changes.

Reading the Labels

The upgrade leaves this call unchanged. The call site uses the symbol the same way in both versions and the symbol’s behavior at that surface is stable across the upgrade.
The upgrade might affect this call, but ZeroPath could not confirm one way or the other. Common triggers: the symbol moved between files, the relevant file is large, or the signature is generic enough that direct inspection is inconclusive. Each needs-review label comes with a short reason explaining what couldn’t be confirmed.
Direct evidence this call will fail in the new version — for example, the symbol was removed, or its signature in the new version is incompatible with the arguments at this call site. Surfaced first in the patch view so reviewers can address them up front.
ZeroPath biases toward needs-review when evidence is ambiguous — surfacing a call for inspection is cheaper than missing one.

Supported Package Managers

npm

PyPI

Go modules

Maven Central

crates.io (Cargo)

https://mintcdn.com/zeropath/3LQWG-DWQmf_zR2q/icons/ruby.svg?fit=max&auto=format&n=3LQWG-DWQmf_zR2q&q=85&s=e98ed481966bcbb1508f8d69e680b60e

RubyGems

Packagist / Composer

Blast radius runs automatically whenever a generated patch upgrades a dependency in one of these ecosystems. No configuration is required — if the patch view shows the package and an upgrade target, blast radius runs.

What to Keep in Mind

Blast radius works by examining the package source between two versions and matching it against your call sites. For most upgrades this is enough to act on directly. A handful of patterns are harder to detect from source inspection — knowing them helps you interpret the report:
  • Aliased imports — calls under a local alias (import { foo as bar } in JS, from pkg import foo as bar in Python) may not appear in the call-site list because the search is anchored on the package name.
  • Dynamic dispatch — runtime reflection (getattr in Python, reflection in Java/Go), generated exports, or other indirect access patterns are not visible to static call-site detection.
  • Behavior-only changes — a function with the same signature in both versions but different runtime semantics (e.g. a stricter input validator, a different default) will not be flagged as breaking from signature inspection alone.
  • Re-exports through nested packages — call sites that hit a re-exported symbol may map to a different file in the new version than blast radius examined directly.
  • Resolver differences — your lockfile may pin a slightly different version than the one blast radius analyzed when package-manager resolution rules differ between environments.
Blast radius is AI-derived analysis. For high-risk upgrades — security-sensitive packages, production-critical paths — combine the blast radius output with your standard review workflow.

Where Blast Radius Appears

Blast radius output is attached to the patch that generated it. When a dependency-upgrade PR is created, the patch view shows the affected call sites grouped by risk level, with a short reason for each one. Reviewers can open each file directly from the report to inspect the call site in context. If blast radius cannot complete (unsupported ecosystem, the source could not be fetched, the wall-clock budget expired), the patch is still generated normally — blast radius is additive context, not a gate on patch creation.