Digests & notifications
How the email digest works, how to schedule it, and what counts as worth notifying about.
A digest is the periodic email summary of activity across your tracked sources. It rolls up new releases and high-risk available upgrades since the last digest, filtered by your notification threshold.
Configuring the digest #
From Settings → Digests:
- Frequency. Disabled, daily, weekly, or real-time. Daily is included on the free tier; weekly and real-time are on paid plans.
- Send days. For the daily and real-time cadences you can restrict delivery to specific weekdays — for example, weekdays only, to keep weekends quiet. Activity on the days you switch off is not dropped: pending updates accumulate and roll into your next email on an enabled day, so a Monday send covers everything from the weekend. Weekly digests already target a single day you pick, so they ignore this setting.
- Time of day. Pick a delivery time in your local timezone; we store the timezone you select so DST shifts don't move your delivery slot unexpectedly. (The timezone also defines when a "day" starts for the send-days setting.)
- Threshold. The minimum risk score that earns a place in the email. Default is 70 (High band).
Disabling the digest entirely is fine; the pulse feed is the source of truth for activity, and the email is just a convenient summary.
What's in a typical digest #
The email is organized so the things that need a decision rise to the top and the routine noise stays out of the way. Each section below (after the overview and highlights) appears under its own headline in the email:
- Overview: a tight two-to-three-sentence summary that leads with the single most critical item, security advisories first. It's the at-a-glance read before you scroll.
- Key Highlights: a short, deduplicated list of the most important items, one line per source. When the digest carries both releases and standalone advisories, the panel splits into two labeled sub-sections — Priority Releases first (what most updates are about), then Security Advisories below — so release highlights aren't pushed out of view by advisories. Within the releases sub-section, items are ordered by severity (security updates, then breaking changes, then lower-risk signals) so every breaking change is grouped together near the top rather than scattered through the list.
- Priority Releases: full cards for anything notable: security updates, breaking changes, or a Medium-or-higher risk score. When a single source ships several notable releases in the same window, they're grouped under one card (the source is named once) instead of repeating the header for each release.
- Security Advisories: advisories affecting packages you depend on that have no fix release yet, most severe first. They follow the release cards — mirroring the Key Highlights order, where Priority Releases lead — but still sit above the routine list, so a critical, unfixed advisory that needs action now is never buried at the end of the email.
- Routine Updates: low-risk releases (dependency bumps, patch releases) are condensed to one line per source (the source name, a count, and a few version numbers) rather than a full card each. They're still in the email, just compact.
- Quick-actions: deep links into the relevant source detail, plus a "view all on your dashboard" link if the digest is long enough to be capped.
A release flagged with breaking changes is always treated as a priority release: it never lands in the condensed routine list and is never shown as "Low risk" (see risk scoring).
Keeping large digests readable #
If you track hundreds or thousands of sources, a digest that listed every release in full would be unusable. Two mechanisms keep it scannable regardless of account size:
- Routine low-risk updates are rolled up to a single line per source.
- The email caps how many full cards and routine lines it renders; anything beyond the cap is summarized in a single "+ N more updates across M sources, view all on your dashboard" line so nothing is silently dropped.
Anti-spam mechanics #
- We coalesce duplicate releases (same source, retag, same version) into a single line, and condense low-risk routine updates to one line per source.
- If nothing crossed your threshold during the digest window, no email is sent. Quiet inboxes when nothing's happening.
- Back-catalog isn't emailed as if it were new. When a source is first ingested — or when a parser that had been quiet catches up and imports a run of older releases at once — those already-dated releases don't flood your daily email. A release we only get to more than about a week after it was published is treated as history, not an update, so it's shown on your pulse feed (the source of truth for activity) without leading your inbox. Genuinely new releases — the normal case, where we pick up a release within a day of it landing — email as usual.
- Unsubscribes are honored at the SES level immediately; you can also toggle the digest off from settings.
Per-source overrides #
Currently digests are configured at the account level; there's no per-source threshold. If a single source is generating noise, the better lever is to deactivate it (sources don't poll once deactivated, and re-activating preserves the history).
News & discussions (Pulse only) #
The Pulse News & discussions section surfaces highly-engaged open GitHub issues on your tracked repos. These rows are not included in email digests today: issues are noisier than releases or advisories, and we'd rather you check them when you're already in the dashboard than send a longer email. Releases and advisories continue to drive the digest.