Subscribe to all “dependency-graph” posts via RSS or follow GitHub Changelog on Twitter to stay updated on everything we ship.

~ cd github-changelog
~/github-changelog|main git log main
showing all changes successfully

The dependency review API is now generally available.

The Dependency Review GitHub Action now allows you to reference a local or external configuration file. There are also new configuration options:

  • fail-on-scopes: contains a list of strings representing the build environments you want to support (development, runtime, unknown). The action will fail on pull requests that introduce vulnerabilities in the scopes that match the list
  • allow-ghsas: contains a list of GitHub Security Advisory IDs that can be skipped during detection
  • license-check and vulnerability-check: a boolean option that allows you disable either one of the checks

Learn more about the dependency graph and dependency review

See more

Dart developers will now receive Dependabot alerts for known vulnerabilities on their pubspec dependencies.

The dependency graph supports detecting pubspec.lock and pubspec.yaml files. Dependencies from these files will be displayed within the dependency graph section in the Insights tab.

The Advisory Database includes curated security advisories for vulnerabilities on pubspec packages.

Learn more about:

See more

Dependency graph now supports submissions through the dependency submission API (beta). This enables you to add dependencies, such as those resolved when software is compiled or built, to the dependency graph. Submitted dependencies will appear in a repository’s dependency graph and any associated vulnerabilities will trigger Dependabot alerts.

Releasing alongside the dependency submission API are the:

Learn more about the dependency submission API.

See more

The Dependency Review GitHub Action, which checks if pull requests introduce a dependency with a known vulnerability, now supports configuration based on vulnerability severity and license type.

The following configuration options are available:

  • fail-on-severity: the action will fail on any pull requests that introduce vulnerabilities of the specified severity level or higher
  • allow-licenses: the action will fail on pull requests that introduce dependencies with licenses that do not match the list
  • deny-licenses: the action will fail on pull requests that introduce dependencies with licenses that match the list

The action is available for all public repositories, as well as private repositories that have Github Advanced Security licensed.

Learn more about dependency review enforcement.
Learn more about configuring the Dependency Review GitHub Action.

See more

The dependency graph now supports detecting Rust (Cargo.{toml,lock}) files. These will be displayed within the dependency graph section in the Insights tab. Users will receive Dependabot alerts and updates for vulnerabilities associated with their Rust dependencies. Package metadata, including mapping packages to repositories, will be added at a later date.

Learn more about the dependency graph.

See more

A new GitHub Action enforces dependency reviews on PRs by scanning for dependencies and warning you about any associated security vulnerabilities. This is supported by a new API endpoint that diffs the dependencies between any two revisions.

The dependency review action is available for use in public repositories. The action is also available in private repositories owned by organizations that use GitHub Enterprise Cloud and have a license for GitHub Advanced Security.

Learn more about dependency review enforcement.

See more

Dependency graph now supports detecting Python dependencies in repositories that use the Poetry package manager. Dependencies will be detected from both pyproject.toml
and poetry.lock manifest files. We will detect dependencies from existing manifest files over the next few weeks, or sooner if the manifest file is updated.

Learn more about dependency dependency graph

See more

Dependency review is now generally available for all public repositories and for private repositories with GitHub Advanced Security enabled. Dependency review helps you understand dependency changes and the security impact of these changes when reviewing pull requests. It provides an easily understandable visualization of dependency changes with a rich diff on the "Files Changed" tab of a pull request and shows:

  • Which dependencies were added, removed, or updated, along with the release dates.
  • How many projects use these dependencies.
  • Vulnerabilities being introduced by the added or updated dependencies.

Open Dependency Review For Package Manifest

Learn more about dependency review
Learn more about GitHub Advanced Security

See more

Dependency review, in beta, helps you review dependency changes in your pull requests. But how do you find your package manifests amongst all the other files? Now you can filter the files in pull requests to see just the package manifests:

Screenshot of pull request manifest filter

What if you don’t have a pull request at all? Now you can review dependency changes between any two commits, such as:

  • During the creation of a pull request,
  • When comparing two branches, tags, or specific commits, and
  • When viewing the history of a package manifest.

GIF of dependency review on commit diff

Learn more about reviewing dependency changes in pull requests.

See more