Dependency graph support is now available for PHP repositories with Composer dependencies
The dependency graph is rolling out for all PHP repositories with Composer dependencies. In addition to Composer, GitHub supports package managers for many other programming languages, including Maven, NPM, Yarn, and Nuget.
The dependency graph powers many important experiences in GitHub, including security alerts, the “used by” counter, dependency insights, and automatic security fixes. We’re also seeing PHP and Composer grow in popularity—PHP is the fourth most popular language on GitHub and Composer is the fourth most starred PHP project. We’ve taken note, and the dependency graph is now rolling out for all PHP repositories with Composer dependencies. In addition to Composer, GitHub supports package managers for other programming languages, including Maven, NPM, Yarn, and Nuget.
Details
You may see security alerts on your repositories as dependency graph support rolls out. When there’s a published vulnerability on any of the Composer dependencies that your project lists in composer.json and composer.lock files, GitHub will send you an alert including email or web notifications, depending on your preferences.
Public and private repositories
If your repository is public, you’ll start receiving these alerts automatically—no need to change anything. If your repository is private or if you disabled the dependency graph on your repository, enable the dependency graph to start receiving alerts.
Multiple private repositories
Organizations with multiple private repositories can also enable the dependency graph across their repositories using a script enabling security alerts and automated security fixes.
Disable alerts on old projects
What if you don’t want to receive alerts on those old PHP projects you wrote years ago? Archive them! Archived repositories send a signal to the rest of the community that they aren’t maintained and don’t receive security alerts.
Automatic security fixes beta
If you’ve opted in to the automatic security fixes beta, you’ll receive pull requests for your vulnerable PHP dependencies when you receive security alerts. Learn more about automatic security fixes.
Enterprise plan subscribers
Organizations using GitHub Enterprise can also start leveraging dependency insights to view information about PHP dependencies. Dependency insights offers a summary of the dependency graph information across all repositories in an organization or across organizations. This makes it easy to identify where you may be using vulnerable dependencies, while providing information about a dependency’s license.
Written by
Related posts
Celebrating the GitHub Awards 2024 recipients 🎉
The GitHub Awards celebrates the outstanding contributions and achievements in the developer community by honoring individuals, projects, and organizations for creating an outsized positive impact on the community.
New from Universe 2024: Get the latest previews and releases
Find out how we’re evolving GitHub and GitHub Copilot—and get access to the latest previews and GA releases.
Bringing developer choice to Copilot with Anthropic’s Claude 3.5 Sonnet, Google’s Gemini 1.5 Pro, and OpenAI’s o1-preview
At GitHub Universe, we announced Anthropic’s Claude 3.5 Sonnet, Google’s Gemini 1.5 Pro, and OpenAI’s o1-preview and o1-mini are coming to GitHub Copilot—bringing a new level of choice to every developer.