Skip to content

dependency-graph

Subscribe to all “dependency-graph” posts via RSS or follow GitHub Changelog on Twitter to stay updated on everything we ship.

~ cd github-changelog
~/github-changelog|main git log main
showing all changes successfully

Code security configurations let organizations easily roll out GitHub security products at scale

Code security configurations simplify the rollout of GitHub security products at scale by defining collections of security settings that can be applied to groups of repositories. Your organization can apply the ‘GitHub recommended’ security configuration, which applies GitHub’s suggested settings for Dependabot, secret scanning, and code scanning. Alternatively, you can instead create your own custom security configurations. For example, an organization could create a ‘High risk’ security configuration for production repositories, and a ‘Minimum protection’ security configuration for internal repositories. This lets you manage security settings based on different risk profiles and security needs. Your organization can also set a default security configuration which is automatically applied to new repositories, avoiding any gaps in your coverage.

With security configurations, you can also see the additional number of GitHub Advanced Security (GHAS) licenses that are required to apply a configuration, or made available by disabling GHAS features on selected repositories. This lets you understand license usage when you roll out GitHub’s code security features in your organization.

Security configurations are now available in public beta on GitHub.com, and will be available in GitHub Enterprise Server 3.14. You can learn more about security configurations or send us your feedback.

See more

OpenSSF Scorecard info is now available in the Dependency Review Action

Dependency review helps you understand dependency changes and the security impact of these changes at every pull request. We have updated the dependency review action to include information from the OpenSSF Scorecard project into the review, helping you better understand the security posture of the dependencies that you’re using.

See more

Gradle starter workflows now automatically submit transitive dependencies

If you’re using starter workflows to prepare the build and release steps for your Java projects that use Gradle, these projects will now have more comprehensive dependency graph information in GitHub. The Gradle starter workflows have been updated to automatically submit transitive dependencies to GitHub, improving the quality of dependency graph data and Dependabot updates for these apps.

Learn more about the action these starter workflows use by checking out the Build with Gradle action on the GitHub Marketplace. Thank you Gradle for making these updates!

Join the discussion within GitHub Community.

See more

Dependency review support for dependency submission results

Dependency review now works with your dependencies from the dependency submission API. Dependency review enforces policies around vulnerabilities and acceptable licenses in the pull request. Previously, dependency review could not be used with another feature of the dependency graph called the dependency submission API. The dependency submission API helps developers get a more accurate set of transitive dependencies, particularly for complex ecosystems like Gradle or Scala which require a build to resolve all transitive dependencies.

To take advantage of this improvement, update to the latest version of the dependency review action, or follow the instructions in our documentation.

For more information, see our documentation about dependency review, the dependency submission API, and some best practices for using dependency review and the dependency submission API together.

See more

pnpm Support for Dependency Graph, Dependabot Alerts, and Dependabot Security Updates

pnpm is now fully supported by dependency graph, Dependabot alerts, and Dependabot security updates! If you manage your Node.js dependencies with the pnpm package manager, you can now receive and fix alerts about security vulnerabilities in those dependencies. To use this, enable Dependabot Security Updates from the repository settings page on the code security and analysis tab.

To read more about how to use Dependabot and dependency graph, you can read our documentation here

See more

New license information for 17.5 million packages

We have added over 17.5 million new package licenses to our database, expanding the license coverage for packages that appear in dependency graph, dependency insights, dependency review, and a repository's software bill of materials (SBOM). Package licenses dictate how a package can be used, making them an essential aspect of compliance when working with open source software.

These licenses are sourced from ClearlyDefined, a curated data store for open source licenses.

See more

Dependency Graph, Dependabot Alerts, and Advisory Database now support Swift advisories

Starting today, you will now receive Dependabot alerts for vulnerabilities associated with your Swift dependencies.

The GitHub Advisory Database now includes curated Swift advisories. This brings the Advisory Database to twelve supported ecosystems, including: Composer (PHP), Erlang, GitHub Actions, Go, Maven, npm, NuGet, pip, Pub, RubyGems and Rust.

The dependency graph now supports detecting Package.resolved files. Swift dependencies from these files will be displayed within the dependency graph section in the Insights tab.

Dependabot security updates support will be added at a later date.

See more

Updates to the repository dependency graph view

The dependency graph shows a summary of the manifest and lock files stored in a repository. The repository view has an updated user experience that includes:

  • Search by package name from a paginated list of all dependencies
  • Dependency licenses
  • Dependabot alerts for dependencies, sorted by severity, and linking to the Dependabot alerts and the Dependabot updates pull request where applicable (only visible for users with priveleges to view the repository's Dependabot alerts)

Screenshot of dependency graph UX, using the high contrast theme

Access a repository's dependency graph from Insights > Dependency graph.

See more

Generate an SBOM from the dependency graph

A software bill of materials (SBOM) is a standardized inventory of a software project's dependencies and associated metadata (versions, licenses, etc). You can now export your repository's dependency graph as an SBOM adhering to the SPDX 2.3 specification.

Click "Export SBOM" on a repository's dependency graph to generate an SBOM representing the head of the main branch. The resulting JSON file will download in your browser. Exporting an SBOM is free for all cloud repositories on GitHub, and can be performed by anyone with read access to a repository.

A supporting REST API to generate SBOMs for repositories will be available in the coming weeks.

Screenshot of a repository's dependency graph with SBOM export button in the top right corner

See more

Dependency graph removes go.sum support

Dependency graph no longer ingests go.sum files for Go repositories, and Dependabot no longer alerts on vulnerabilities for dependencies found in go.sum files. Dependencies previously ingested from go.sum files have been removed from the dependency graph for all repositories on github.com.

go.sum files are not lock files but a log of all packages downloaded by Go when building a project. They may include multiple versions of a dependency, which may result in false positive Dependabot alerts for a vulnerable version that isn't actually used in the project.

Dependency graph continues to support go.mod files, the recommended format for Go projects. Use Go 1.17 or higher to ensure your go.mod file is a comprehensive view of all direct and transitive dependencies.

Learn more about the dependency graph

See more

Dependency submission suggestions on Gradle, Maven, Scala and Mill repositories

Dependency graph automatically supports many ecosystems, but some additional ecosystems require configuration to submit dependencies with the dependency submission API. The community maintains several GitHub Actions that make this easier.

Users with write access to Gradle, Maven, Scala, and Mill repositories now see messaging on their dependency graph that directs them to an action that will scan and submit dependencies for their ecosystem. Users with access to Dependabot alerts will also see messaging on their repository's Dependabot alerts tab.

img

Prompts will display if a repository includes any of the following files: pom.xml, build.gradle, build.gradle.kts, build.sbt, or build.sc.

The dependency graph team is working to have native support for these types of ecosystems with more news to come later this year.

See more

Dependency review API is generally available with updates to dependency review enforcement

The dependency review API is now generally available.

The Dependency Review GitHub Action now allows you to reference a local or external configuration file. There are also new configuration options:

  • fail-on-scopes: contains a list of strings representing the build environments you want to support (development, runtime, unknown). The action will fail on pull requests that introduce vulnerabilities in the scopes that match the list
  • allow-ghsas: contains a list of GitHub Security Advisory IDs that can be skipped during detection
  • license-check and vulnerability-check: a boolean option that allows you disable either one of the checks

Learn more about the dependency graph and dependency review

See more

GitHub’s supply chain features now support Dart

Dart developers will now receive Dependabot alerts for known vulnerabilities on their pubspec dependencies.

The dependency graph supports detecting pubspec.lock and pubspec.yaml files. Dependencies from these files will be displayed within the dependency graph section in the Insights tab.

The Advisory Database includes curated security advisories for vulnerabilities on pubspec packages.

Learn more about:

See more

Dependency graph has a REST API for submitting dependencies detected at build time

Dependency graph now supports submissions through the dependency submission API (beta). This enables you to add dependencies, such as those resolved when software is compiled or built, to the dependency graph. Submitted dependencies will appear in a repository’s dependency graph and any associated vulnerabilities will trigger Dependabot alerts.

Releasing alongside the dependency submission API are the:

Learn more about the dependency submission API.

See more

Configure dependency review for vulnerability severity and license type

The Dependency Review GitHub Action, which checks if pull requests introduce a dependency with a known vulnerability, now supports configuration based on vulnerability severity and license type.

The following configuration options are available:

  • fail-on-severity: the action will fail on any pull requests that introduce vulnerabilities of the specified severity level or higher
  • allow-licenses: the action will fail on pull requests that introduce dependencies with licenses that do not match the list
  • deny-licenses: the action will fail on pull requests that introduce dependencies with licenses that match the list

The action is available for all public repositories, as well as private repositories that have Github Advanced Security licensed.

Learn more about dependency review enforcement.
Learn more about configuring the Dependency Review GitHub Action.

See more
View more changes