Dependency review helps you understand dependency changes and the security impact of these changes at every pull request. We have updated the dependency review action to include information from the OpenSSF Scorecard project into the review, helping you better understand the security posture of the dependencies that you’re using.
If you’re using starter workflows to prepare the build and release steps for your Java projects that use Gradle, these projects will now have more comprehensive dependency graph information in GitHub. The Gradle starter workflows have been updated to automatically submit transitive dependencies to GitHub, improving the quality of dependency graph data and Dependabot updates for these apps.
Learn more about the action these starter workflows use by checking out the Build with Gradle action on the GitHub Marketplace. Thank you Gradle for making these updates!
Join the discussion within GitHub Community.
Dependency review now works with your dependencies from the dependency submission API. Dependency review enforces policies around vulnerabilities and acceptable licenses in the pull request. Previously, dependency review could not be used with another feature of the dependency graph called the dependency submission API. The dependency submission API helps developers get a more accurate set of transitive dependencies, particularly for complex ecosystems like Gradle or Scala which require a build to resolve all transitive dependencies.
To take advantage of this improvement, update to the latest version of the dependency review action, or follow the instructions in our documentation.
For more information, see our documentation about dependency review, the dependency submission API, and some best practices for using dependency review and the dependency submission API together.
pnpm is now fully supported by dependency graph, Dependabot alerts, and Dependabot security updates! If you manage your Node.js dependencies with the pnpm package manager, you can now receive and fix alerts about security vulnerabilities in those dependencies. To use this, enable Dependabot Security Updates from the repository settings page on the code security and analysis tab.
To read more about how to use Dependabot and dependency graph, you can read our documentation here
We have added over 17.5 million new package licenses to our database, expanding the license coverage for packages that appear in dependency graph, dependency insights, dependency review, and a repository's software bill of materials (SBOM). Package licenses dictate how a package can be used, making them an essential aspect of compliance when working with open source software.
These licenses are sourced from ClearlyDefined, a curated data store for open source licenses.
Starting today, you will now receive Dependabot alerts for vulnerabilities associated with your Swift dependencies.
The GitHub Advisory Database now includes curated Swift advisories. This brings the Advisory Database to twelve supported ecosystems, including: Composer (PHP), Erlang, GitHub Actions, Go, Maven, npm, NuGet, pip, Pub, RubyGems and Rust.
The dependency graph now supports detecting Package.resolved files. Swift dependencies from these files will be displayed within the dependency graph section in the Insights tab.
Dependabot security updates support will be added at a later date.
Following our recent release of generating a software bill of materials from the repository's dependency graph, you can now generate an SBOM for a repository using a new REST API for SBOMs. The resulting JSON will represent the head of the repository's main branch.
The dependency graph shows a summary of the manifest and lock files stored in a repository. The repository view has an updated user experience that includes:
- Search by package name from a paginated list of all dependencies
- Dependency licenses
- Dependabot alerts for dependencies, sorted by severity, and linking to the Dependabot alerts and the Dependabot updates pull request where applicable (only visible for users with priveleges to view the repository's Dependabot alerts)
Access a repository's dependency graph from Insights > Dependency graph.
A software bill of materials (SBOM) is a standardized inventory of a software project's dependencies and associated metadata (versions, licenses, etc). You can now export your repository's dependency graph as an SBOM adhering to the SPDX 2.3 specification.
Click "Export SBOM" on a repository's dependency graph to generate an SBOM representing the head of the main branch. The resulting JSON file will download in your browser. Exporting an SBOM is free for all cloud repositories on GitHub, and can be performed by anyone with read access to a repository.
A supporting REST API to generate SBOMs for repositories will be available in the coming weeks.
The repository dependency graph GraphQL API preview now returns dependencies that have been submitted using the dependency submission API.
Dependency graph and Dependabot now parse and update package-lock.json files set with lockfileVersion: 3, which is used by npm v9. Users will receive Dependabot alerts for dependencies with known vulnerabilities.
Dependency graph no longer ingests go.sum files for Go repositories, and Dependabot no longer alerts on vulnerabilities for dependencies found in go.sum files. Dependencies previously ingested from go.sum files have been removed from the dependency graph for all repositories on github.com.
go.sum files are not lock files but a log of all packages downloaded by Go when building a project. They may include multiple versions of a dependency, which may result in false positive Dependabot alerts for a vulnerable version that isn't actually used in the project.
Dependency graph continues to support go.mod files, the recommended format for Go projects. Use Go 1.17 or higher to ensure your go.mod file is a comprehensive view of all direct and transitive dependencies.
Dependency graph now supports parsing Python dependencies for pyproject.toml files that follow the PEP 621 standard.
Dependency graph automatically supports many ecosystems, but some additional ecosystems require configuration to submit dependencies with the dependency submission API. The community maintains several GitHub Actions that make this easier.
Users with write access to Gradle, Maven, Scala, and Mill repositories now see messaging on their dependency graph that directs them to an action that will scan and submit dependencies for their ecosystem. Users with access to Dependabot alerts will also see messaging on their repository's Dependabot alerts tab.
Prompts will display if a repository includes any of the following files: pom.xml, build.gradle, build.gradle.kts, build.sbt, or build.sc.
The dependency graph team is working to have native support for these types of ecosystems with more news to come later this year.
The dependency review API is now generally available.
The Dependency Review GitHub Action now allows you to reference a local or external configuration file. There are also new configuration options:
fail-on-scopes: contains a list of strings representing the build environments you want to support (development,runtime,unknown). The action will fail on pull requests that introduce vulnerabilities in the scopes that match the listallow-ghsas: contains a list of GitHub Security Advisory IDs that can be skipped during detectionlicense-checkandvulnerability-check: a boolean option that allows you disable either one of the checks
Learn more about the dependency graph and dependency review