Subscribe to all “dependency-graph” posts via RSS or follow GitHub Changelog on Twitter to stay updated on everything we ship.

~ cd github-changelog
~/github-changelog|main git log main
showing all changes successfully

The dependency graph shows a summary of the manifest and lock files stored in a repository. The repository view has an updated user experience that includes:

  • Search by package name from a paginated list of all dependencies
  • Dependency licenses
  • Dependabot alerts for dependencies, sorted by severity, and linking to the Dependabot alerts and the Dependabot updates pull request where applicable (only visible for users with priveleges to view the repository's Dependabot alerts)

Screenshot of dependency graph UX, using the high contrast theme

Access a repository's dependency graph from Insights > Dependency graph.

See more

A software bill of materials (SBOM) is a standardized inventory of a software project's dependencies and associated metadata (versions, licenses, etc). You can now export your repository's dependency graph as an SBOM adhering to the SPDX 2.3 specification.

Click "Export SBOM" on a repository's dependency graph to generate an SBOM representing the head of the main branch. The resulting JSON file will download in your browser. Exporting an SBOM is free for all cloud repositories on GitHub, and can be performed by anyone with read access to a repository.

A supporting REST API to generate SBOMs for repositories will be available in the coming weeks.

Screenshot of a repository's dependency graph with SBOM export button in the top right corner

See more

Dependency graph no longer ingests go.sum files for Go repositories, and Dependabot no longer alerts on vulnerabilities for dependencies found in go.sum files. Dependencies previously ingested from go.sum files have been removed from the dependency graph for all repositories on

go.sum files are not lock files but a log of all packages downloaded by Go when building a project. They may include multiple versions of a dependency, which may result in false positive Dependabot alerts for a vulnerable version that isn't actually used in the project.

Dependency graph continues to support go.mod files, the recommended format for Go projects. Use Go 1.17 or higher to ensure your go.mod file is a comprehensive view of all direct and transitive dependencies.

Learn more about the dependency graph

See more

Dependency graph automatically supports many ecosystems, but some additional ecosystems require configuration to submit dependencies with the dependency submission API. The community maintains several GitHub Actions that make this easier.

Users with write access to Gradle, Maven, Scala, and Mill repositories now see messaging on their dependency graph that directs them to an action that will scan and submit dependencies for their ecosystem. Users with access to Dependabot alerts will also see messaging on their repository's Dependabot alerts tab.


Prompts will display if a repository includes any of the following files: pom.xml, build.gradle, build.gradle.kts, build.sbt, or

The dependency graph team is working to have native support for these types of ecosystems with more news to come later this year.

See more

The dependency review API is now generally available.

The Dependency Review GitHub Action now allows you to reference a local or external configuration file. There are also new configuration options:

  • fail-on-scopes: contains a list of strings representing the build environments you want to support (development, runtime, unknown). The action will fail on pull requests that introduce vulnerabilities in the scopes that match the list
  • allow-ghsas: contains a list of GitHub Security Advisory IDs that can be skipped during detection
  • license-check and vulnerability-check: a boolean option that allows you disable either one of the checks

Learn more about the dependency graph and dependency review

See more

Dart developers will now receive Dependabot alerts for known vulnerabilities on their pubspec dependencies.

The dependency graph supports detecting pubspec.lock and pubspec.yaml files. Dependencies from these files will be displayed within the dependency graph section in the Insights tab.

The Advisory Database includes curated security advisories for vulnerabilities on pubspec packages.

Learn more about:

See more

Dependency graph now supports submissions through the dependency submission API (beta). This enables you to add dependencies, such as those resolved when software is compiled or built, to the dependency graph. Submitted dependencies will appear in a repository’s dependency graph and any associated vulnerabilities will trigger Dependabot alerts.

Releasing alongside the dependency submission API are the:

Learn more about the dependency submission API.

See more

The Dependency Review GitHub Action, which checks if pull requests introduce a dependency with a known vulnerability, now supports configuration based on vulnerability severity and license type.

The following configuration options are available:

  • fail-on-severity: the action will fail on any pull requests that introduce vulnerabilities of the specified severity level or higher
  • allow-licenses: the action will fail on pull requests that introduce dependencies with licenses that do not match the list
  • deny-licenses: the action will fail on pull requests that introduce dependencies with licenses that match the list

The action is available for all public repositories, as well as private repositories that have Github Advanced Security licensed.

Learn more about dependency review enforcement.
Learn more about configuring the Dependency Review GitHub Action.

See more

The dependency graph now supports detecting Rust (Cargo.{toml,lock}) files. These will be displayed within the dependency graph section in the Insights tab. Users will receive Dependabot alerts and updates for vulnerabilities associated with their Rust dependencies. Package metadata, including mapping packages to repositories, will be added at a later date.

Learn more about the dependency graph.

See more

A new GitHub Action enforces dependency reviews on PRs by scanning for dependencies and warning you about any associated security vulnerabilities. This is supported by a new API endpoint that diffs the dependencies between any two revisions.

The dependency review action is available for use in public repositories. The action is also available in private repositories owned by organizations that use GitHub Enterprise Cloud and have a license for GitHub Advanced Security.

Learn more about dependency review enforcement.

See more

Dependency graph now supports detecting Python dependencies in repositories that use the Poetry package manager. Dependencies will be detected from both pyproject.toml
and poetry.lock manifest files. We will detect dependencies from existing manifest files over the next few weeks, or sooner if the manifest file is updated.

Learn more about dependency dependency graph

See more

Dependency review is now generally available for all public repositories and for private repositories with GitHub Advanced Security enabled. Dependency review helps you understand dependency changes and the security impact of these changes when reviewing pull requests. It provides an easily understandable visualization of dependency changes with a rich diff on the "Files Changed" tab of a pull request and shows:

  • Which dependencies were added, removed, or updated, along with the release dates.
  • How many projects use these dependencies.
  • Vulnerabilities being introduced by the added or updated dependencies.

Open Dependency Review For Package Manifest

Learn more about dependency review
Learn more about GitHub Advanced Security

See more

Dependency review, in beta, helps you review dependency changes in your pull requests. But how do you find your package manifests amongst all the other files? Now you can filter the files in pull requests to see just the package manifests:

Screenshot of pull request manifest filter

What if you don’t have a pull request at all? Now you can review dependency changes between any two commits, such as:

  • During the creation of a pull request,
  • When comparing two branches, tags, or specific commits, and
  • When viewing the history of a package manifest.

GIF of dependency review on commit diff

Learn more about reviewing dependency changes in pull requests.

See more