Diffuse

Diffuse is a static risk analysis tool for code changes. It scores changes across multiple dimensions and generates clear, actionable reports to assist reviewers and reduce regression risk.

Why Build Diffuse?

Existing tools don't do a good job of flagging risky changes that aren't caught by a linter. There's a huge lack of visibility into logic reuse, especially across an organization, but even within different parts of the same application's repos or monorepo.

I built this tool to mitigate scenarios like:

  • Small change comes through. Looks logical and passes both lint and QA, but breaks something somewhere else and nobody notices until a user report comes in.

  • Devs go through and tweak logic for their own use without realizing that 5 other teams are using that logic, and now it's broken for 4 of them and everyone is submitting competing PRs. Or else another team bandaids the component so that it works for both cases, and a few years from now there's a garbled frankencomponent that's been extended and re-extended into a shambling mess.

  • AI changes a ton of stuff in a single PR and it's hard to tell what's going on, but deadlines are tight and it looks pretty reasonable so someone merges it

...And so on.

How it works

Diffuse scores changes across multiple dimensions:

Type safety: Changes to return types, props, or exports. It might work for this case, but it's fairly likely to break something somewhere else out of the current scope if not carefully vetted.

Graph-based impact: Widespread or critical usage across the codebase. If 47 files import a symbol, best tread very carefully when merging changes.

Large change: Symbol has been meaningfully changed (over 20% of lines changed)

Missing test updates: Symbol has been meaningfully changed, but tests haven't been updated. Not a breaking change in and of itself, but should be flagged. (suppress with --no-tests flag)

These factors are aggregated and assigned weighted points, then a final score is calculated, and everything is displayed in the terminal or a PR comment.

Diffuse features:

  • Abstract symbolic tree analysis
  • Configurable score weights and messages
  • Customizable output (verbose, skip tests, etc)
  • Single repository analysis
  • TypeScript support
  • Usage graph analysis within the repository
  • Test coverage detection
  • Multiple output formats (terminal, markdown)
  • GitHub Actions integration

And was built with:

  • tsmorph
  • node
  • github api/github actions

I would love to add:

Cross-repo analysis in particular would really help this project, but requires infrastructure, and may need to be reserved for an eventual pro tier. Also hot file analysis, flagging when a file has been involved in a bunch of recent PRs. Possibly trend graphs if that's not overkill/info exhaustion.

  • Full vanilla JavaScript support
  • Multi-language support
  • Subtree spread scoring (temporarily disabled until project structure conventions are better defined)
  • Set up optional PR block for score over x
  • Cross-repo analysis with GitHub App integration
  • "Hot file" detection based on PR frequency
  • Historical data analysis and trend tracking
  • Advanced analytics dashboard
  • Slack integration for notifications
  • Project-aware risk configurations Next has unique risks compared to Vite compared to whatever
  • Caching and large-repo optimizations

...But I think this project is likely to be just another piece of noise on a PR. Especially as I'm seeing the rise of automated comments on PRs. I'm not exactly sure how to solve this problem, in all honesty, but I'm considering drilling down on the core features of this tool and spinning out a more focused, less noisy report.

Screenshot of Diffuse CLI outputScreenshot of Diffuse PR comment