pnpm is now fully supported by dependency graph, Dependabot alerts, and Dependabot security updates! If you manage your Node.js dependencies with the pnpm package manager, you can now receive and fix alerts about security vulnerabilities in those dependencies. To use this, enable Dependabot Security Updates from the repository settings page on the code security and analysis tab.
To read more about how to use Dependabot and dependency graph, you can read our documentation here
We have added over 17.5 million new package licenses to our database, expanding the license coverage for packages that appear in dependency graph, dependency insights, dependency review, and a repository's software bill of materials (SBOM). Package licenses dictate how a package can be used, making them an essential aspect of compliance when working with open source software.
These licenses are sourced from ClearlyDefined, a curated data store for open source licenses.
Starting today, you will now receive Dependabot alerts for vulnerabilities associated with your Swift dependencies.
The GitHub Advisory Database now includes curated Swift advisories. This brings the Advisory Database to twelve supported ecosystems, including: Composer (PHP), Erlang, GitHub Actions, Go, Maven, npm, NuGet, pip, Pub, RubyGems and Rust.
The dependency graph now supports detecting Package.resolved files. Swift dependencies from these files will be displayed within the dependency graph section in the Insights tab.
Dependabot security updates support will be added at a later date.
Following our recent release of generating a software bill of materials from the repository's dependency graph, you can now generate an SBOM for a repository using a new REST API for SBOMs. The resulting JSON will represent the head of the repository's main branch.
The dependency graph shows a summary of the manifest and lock files stored in a repository. The repository view has an updated user experience that includes:
Access a repository's dependency graph from Insights > Dependency graph.
A software bill of materials (SBOM) is a standardized inventory of a software project's dependencies and associated metadata (versions, licenses, etc). You can now export your repository's dependency graph as an SBOM adhering to the SPDX 2.3 specification.
Click "Export SBOM" on a repository's dependency graph to generate an SBOM representing the head of the main branch. The resulting JSON file will download in your browser. Exporting an SBOM is free for all cloud repositories on GitHub, and can be performed by anyone with read access to a repository.
A supporting REST API to generate SBOMs for repositories will be available in the coming weeks.
The repository dependency graph GraphQL API preview now returns dependencies that have been submitted using the dependency submission API.
Dependency graph and Dependabot now parse and update package-lock.json files set with lockfileVersion: 3, which is used by npm v9. Users will receive Dependabot alerts for dependencies with known vulnerabilities.
Dependency graph no longer ingests go.sum files for Go repositories, and Dependabot no longer alerts on vulnerabilities for dependencies found in go.sum files. Dependencies previously ingested from go.sum files have been removed from the dependency graph for all repositories on github.com.
go.sum files are not lock files but a log of all packages downloaded by Go when building a project. They may include multiple versions of a dependency, which may result in false positive Dependabot alerts for a vulnerable version that isn't actually used in the project.
Dependency graph continues to support go.mod files, the recommended format for Go projects. Use Go 1.17 or higher to ensure your go.mod file is a comprehensive view of all direct and transitive dependencies.
Dependency graph now supports parsing Python dependencies for pyproject.toml files that follow the PEP 621 standard.
Dependency graph automatically supports many ecosystems, but some additional ecosystems require configuration to submit dependencies with the dependency submission API. The community maintains several GitHub Actions that make this easier.
Users with write access to Gradle, Maven, Scala, and Mill repositories now see messaging on their dependency graph that directs them to an action that will scan and submit dependencies for their ecosystem. Users with access to Dependabot alerts will also see messaging on their repository's Dependabot alerts tab.
Prompts will display if a repository includes any of the following files: pom.xml, build.gradle, build.gradle.kts, build.sbt, or build.sc.
The dependency graph team is working to have native support for these types of ecosystems with more news to come later this year.
The dependency review API is now generally available.
The Dependency Review GitHub Action now allows you to reference a local or external configuration file. There are also new configuration options:
fail-on-scopes: contains a list of strings representing the build environments you want to support (development, runtime, unknown). The action will fail on pull requests that introduce vulnerabilities in the scopes that match the listallow-ghsas: contains a list of GitHub Security Advisory IDs that can be skipped during detectionlicense-check and vulnerability-check: a boolean option that allows you disable either one of the checks Learn more about the dependency graph and dependency review
Dart developers will now receive Dependabot alerts for known vulnerabilities on their pubspec dependencies.
The dependency graph supports detecting pubspec.lock and pubspec.yaml files. Dependencies from these files will be displayed within the dependency graph section in the Insights tab.
The Advisory Database includes curated security advisories for vulnerabilities on pubspec packages.
Learn more about:
Dependency graph now supports submissions through the dependency submission API (beta). This enables you to add dependencies, such as those resolved when software is compiled or built, to the dependency graph. Submitted dependencies will appear in a repository’s dependency graph and any associated vulnerabilities will trigger Dependabot alerts.
Releasing alongside the dependency submission API are the: