dependency-graph

Subscribe to all “dependency-graph” posts via RSS or follow GitHub Changelog on Twitter to stay updated on everything we ship.

~ cd github-changelog
~/github-changelog|main git log main
showing all changes successfully

Dependency graph deduplication is now generally available

GitHub’s dependency graph builds a tree of information about the packages your repository’s code depends on. This capability powers SBOM generation, Dependabot security updates, and more.

There are three ways dependency graph learns about dependencies: static analysis, automatic submission, and user submission. Since a repository may have more than one of these methods configured, dependency graph could scan the same package manifest multiple times, with each scan producing different output.

In order to reduce confusion and prioritize accurate information, dependency graph now has deduplication logic with well-defined precedence rules:

  • Dependency graph only displays one instance of each manifest file.
  • User submissions take the highest priority, because they are usually created during artifact builds and have the most complete information. If there are multiple manual snapshots from different detectors, dependency graph sorts alphabetically by correlator (a unique identifier used to match related data) and keep the first one.
  • Automatic submissions have the next-highest precedence since they are also based on builds but aren’t submitted by users.
  • Static analysis takes the lowest precedence.

For more information, check out the dependency graph documentation.

See more

Transitive dependencies are now available for Maven

Following the ship of transitive labeling for npm packages, the same capabilities are now available for Maven packages:

  • Dependabot alerts now contain a direct label if they are associated with a package you’ve directly included. In addition, there’s now a relationship:direct filter in the search bar to only show those alerts caused by your direct dependencies.
  • The direct dependency that led to a package’s inclusion in your dependency graph is visible both in the text of any new Dependabot alerts and the dependency insights page (click the button, then Show options to view it).
  • A repository’s SBOM will contain a relationships section that uses the SPDX relationshipType: DEPENDS_ON field to express the tree of package dependencies. Similarly, the GraphQL API will now return a relationship field with direct, transitive, or unknown values in the DependencyGraphDependency object.

Ability to refresh Dependabot alerts from the list view

In addition to the Maven-specific additions, the Alert Settings menu on Dependabot alert tables now provides a Refresh Dependabot alerts option which will rescan your repository’s manifest files, rebuild its dependency graph, and refresh its open Dependabot alerts.

New 'Refresh Dependabot alerts' option in the Alert Settings menu on the Dependabot alerts page.

Getting started

To get transitive dependency labeling on your repositories, make sure dependency graph is enabled, and either enable Automatic dependency submission on the same settings page or use a dependency submission action. As a beneficial side-effect of this change, other package ecosystems with actions that create transitive dependency trees – such as go – will also now receive transitive and direct labels.

To see the Dependabot labels, you’ll also need to enable Dependabot alerts.

Join the discussion within GitHub Community.

See more

OpenSSF Scorecard info is now available in the Dependency Review Action

Dependency review helps you understand dependency changes and the security impact of these changes at every pull request. We have updated the dependency review action to include information from the OpenSSF Scorecard project into the review, helping you better understand the security posture of the dependencies that you’re using.

See more

Gradle starter workflows now automatically submit transitive dependencies

If you’re using starter workflows to prepare the build and release steps for your Java projects that use Gradle, these projects will now have more comprehensive dependency graph information in GitHub. The Gradle starter workflows have been updated to automatically submit transitive dependencies to GitHub, improving the quality of dependency graph data and Dependabot updates for these apps.

Learn more about the action these starter workflows use by checking out the Build with Gradle action on the GitHub Marketplace. Thank you Gradle for making these updates!

Join the discussion within GitHub Community.

See more

Dependency review support for dependency submission results

Dependency review now works with your dependencies from the dependency submission API. Dependency review enforces policies around vulnerabilities and acceptable licenses in the pull request. Previously, dependency review could not be used with another feature of the dependency graph called the dependency submission API. The dependency submission API helps developers get a more accurate set of transitive dependencies, particularly for complex ecosystems like Gradle or Scala which require a build to resolve all transitive dependencies.

To take advantage of this improvement, update to the latest version of the dependency review action, or follow the instructions in our documentation.

For more information, see our documentation about dependency review, the dependency submission API, and some best practices for using dependency review and the dependency submission API together.

See more

pnpm Support for Dependency Graph, Dependabot Alerts, and Dependabot Security Updates

pnpm is now fully supported by dependency graph, Dependabot alerts, and Dependabot security updates! If you manage your Node.js dependencies with the pnpm package manager, you can now receive and fix alerts about security vulnerabilities in those dependencies. To use this, enable Dependabot Security Updates from the repository settings page on the code security and analysis tab.

To read more about how to use Dependabot and dependency graph, you can read our documentation here

See more

New license information for 17.5 million packages

We have added over 17.5 million new package licenses to our database, expanding the license coverage for packages that appear in dependency graph, dependency insights, dependency review, and a repository's software bill of materials (SBOM). Package licenses dictate how a package can be used, making them an essential aspect of compliance when working with open source software.

These licenses are sourced from ClearlyDefined, a curated data store for open source licenses.

See more

Dependency Graph, Dependabot Alerts, and Advisory Database now support Swift advisories

Starting today, you will now receive Dependabot alerts for vulnerabilities associated with your Swift dependencies.

The GitHub Advisory Database now includes curated Swift advisories. This brings the Advisory Database to twelve supported ecosystems, including: Composer (PHP), Erlang, GitHub Actions, Go, Maven, npm, NuGet, pip, Pub, RubyGems and Rust.

The dependency graph now supports detecting Package.resolved files. Swift dependencies from these files will be displayed within the dependency graph section in the Insights tab.

Dependabot security updates support will be added at a later date.

See more

Updates to the repository dependency graph view

The dependency graph shows a summary of the manifest and lock files stored in a repository. The repository view has an updated user experience that includes:

  • Search by package name from a paginated list of all dependencies
  • Dependency licenses
  • Dependabot alerts for dependencies, sorted by severity, and linking to the Dependabot alerts and the Dependabot updates pull request where applicable (only visible for users with priveleges to view the repository's Dependabot alerts)

Screenshot of dependency graph UX, using the high contrast theme

Access a repository's dependency graph from Insights > Dependency graph.

See more

Generate an SBOM from the dependency graph

A software bill of materials (SBOM) is a standardized inventory of a software project's dependencies and associated metadata (versions, licenses, etc). You can now export your repository's dependency graph as an SBOM adhering to the SPDX 2.3 specification.

Click "Export SBOM" on a repository's dependency graph to generate an SBOM representing the head of the main branch. The resulting JSON file will download in your browser. Exporting an SBOM is free for all cloud repositories on GitHub, and can be performed by anyone with read access to a repository.

A supporting REST API to generate SBOMs for repositories will be available in the coming weeks.

Screenshot of a repository's dependency graph with SBOM export button in the top right corner

See more

Dependency graph removes go.sum support

Dependency graph no longer ingests go.sum files for Go repositories, and Dependabot no longer alerts on vulnerabilities for dependencies found in go.sum files. Dependencies previously ingested from go.sum files have been removed from the dependency graph for all repositories on github.com.

go.sum files are not lock files but a log of all packages downloaded by Go when building a project. They may include multiple versions of a dependency, which may result in false positive Dependabot alerts for a vulnerable version that isn't actually used in the project.

Dependency graph continues to support go.mod files, the recommended format for Go projects. Use Go 1.17 or higher to ensure your go.mod file is a comprehensive view of all direct and transitive dependencies.

Learn more about the dependency graph

See more
View more changes