The dependency graph now supports detecting Rust (Cargo.{toml,lock}) files. These will be displayed within the dependency graph section in the Insights tab. Users will receive Dependabot alerts and updates for vulnerabilities associated with their Rust dependencies. Package metadata, including mapping packages to repositories, will be added at a later date.
A new GitHub Action enforces dependency reviews on PRs by scanning for dependencies and warning you about any associated security vulnerabilities. This is supported by a new API endpoint that diffs the dependencies between any two revisions.
The dependency review action is available for use in public repositories. The action is also available in private repositories owned by organizations that use GitHub Enterprise Cloud and have a license for GitHub Advanced Security.
Learn more about dependency review enforcement.
The dependency graph now supports detecting GitHub Actions workflow YAML files. These will be displayed within the dependency graph section in the Insights tab. Repositories that publish actions will also be able to see the number of repositories that depend on that action from the Used By control on the repository homepage.
Dependency graph now supports detecting Python dependencies in repositories that use the Poetry package manager. Dependencies will be detected from both pyproject.toml
and poetry.lock manifest files. We will detect dependencies from existing manifest files over the next few weeks, or sooner if the manifest file is updated.
Dependency review is now generally available for all public repositories and for private repositories with GitHub Advanced Security enabled. Dependency review helps you understand dependency changes and the security impact of these changes when reviewing pull requests. It provides an easily understandable visualization of dependency changes with a rich diff on the "Files Changed" tab of a pull request and shows:
- Which dependencies were added, removed, or updated, along with the release dates.
- How many projects use these dependencies.
- Vulnerabilities being introduced by the added or updated dependencies.
Learn more about dependency review
Learn more about GitHub Advanced Security
Dependency review, in beta, helps you review dependency changes in your pull requests. But how do you find your package manifests amongst all the other files? Now you can filter the files in pull requests to see just the package manifests:
What if you don’t have a pull request at all? Now you can review dependency changes between any two commits, such as:
- During the creation of a pull request,
- When comparing two branches, tags, or specific commits, and
- When viewing the history of a package manifest.
Learn more about reviewing dependency changes in pull requests.