The dependency graph powers many important experiences in GitHub, including security alerts, the “used by” counter, dependency insights, and automatic security fixes. We’re also seeing PHP and Composer grow in popularity—PHP is the fourth most popular language on GitHub and Composer is the fourth most starred PHP project. We’ve taken note, and the dependency graph is now rolling out for all PHP repositories with Composer dependencies. In addition to Composer, GitHub supports package managers for other programming languages, including Maven, NPM, Yarn, and Nuget.
You may see security alerts on your repositories as dependency graph support rolls out. When there’s a published vulnerability on any of the Composer dependencies that your project lists in
composer.lock files, GitHub will send you an alert including email or web notifications, depending on your preferences.
If your repository is public, you’ll start receiving these alerts automatically—no need to change anything. If your repository is private or if you disabled the dependency graph on your repository, enable the dependency graph to start receiving alerts.
Organizations with multiple private repositories can also enable the dependency graph across their repositories using a script enabling security alerts and automated security fixes.
What if you don’t want to receive alerts on those old PHP projects you wrote years ago? Archive them! Archived repositories send a signal to the rest of the community that they aren’t maintained and don’t receive security alerts.
If you’ve opted in to the automatic security fixes beta, you’ll receive pull requests for your vulnerable PHP dependencies when you receive security alerts. Learn more about automatic security fixes.
Organizations using GitHub Enterprise can also start leveraging dependency insights to view information about PHP dependencies. Dependency insights offers a summary of the dependency graph information across all repositories in an organization or across organizations. This makes it easy to identify where you may be using vulnerable dependencies, while providing information about a dependency’s license.