dependency-graph

The Dependency Review GitHub Action, which checks if pull requests introduce a dependency with a known vulnerability, now supports configuration based on vulnerability severity and license type.

The following configuration options are available:

• fail-on-severity: the action will fail on any pull requests that introduce vulnerabilities of the specified severity level or higher
• allow-licenses: the action will fail on pull requests that introduce dependencies with licenses that do not match the list
• deny-licenses: the action will fail on pull requests that introduce dependencies with licenses that match the list

The action is available for all public repositories, as well as private repositories that have Github Advanced Security licensed.

Learn more about dependency review enforcement.
Learn more about configuring the Dependency Review GitHub Action.

The dependency graph now supports detecting Rust (Cargo.{toml,lock}) files. These will be displayed within the dependency graph section in the Insights tab. Users will receive Dependabot alerts and updates for vulnerabilities associated with their Rust dependencies. Package metadata, including mapping packages to repositories, will be added at a later date.

Learn more about the dependency graph.

The dependency graph now supports detecting GitHub Actions workflow YAML files. These will be displayed within the dependency graph section in the Insights tab. Repositories that publish actions will also be able to see the number of repositories that depend on that action from the Used By control on the repository homepage.

Learn more about the dependency graph

Dependency graph now supports detecting Python dependencies in repositories that use the Poetry package manager. Dependencies will be detected from both pyproject.toml
and poetry.lock manifest files. We will detect dependencies from existing manifest files over the next few weeks, or sooner if the manifest file is updated.

Learn more about dependency dependency graph