Justin Hutchings
Director of Product Management for supply chain security. I manage the team that's behind Dependabot, the Advisory Database, and the dependency graph. Twitter: https://twitter.com/jhutchings0
The dependency graph is rolling out for all PHP repositories with Composer dependencies. In addition to Composer, GitHub supports package managers for many other programming languages, including Maven, NPM, Yarn, and Nuget.
The dependency graph powers many important experiences in GitHub, including security alerts, the “used by” counter, dependency insights, and automatic security fixes. We’re also seeing PHP and Composer grow in popularity—PHP is the fourth most popular language on GitHub and Composer is the fourth most starred PHP project. We’ve taken note, and the dependency graph is now rolling out for all PHP repositories with Composer dependencies. In addition to Composer, GitHub supports package managers for other programming languages, including Maven, NPM, Yarn, and Nuget.
You may see security alerts on your repositories as dependency graph support rolls out. When there’s a published vulnerability on any of the Composer dependencies that your project lists in composer.json
and composer.lock
files, GitHub will send you an alert including email or web notifications, depending on your preferences.
If your repository is public, you’ll start receiving these alerts automatically—no need to change anything. If your repository is private or if you disabled the dependency graph on your repository, enable the dependency graph to start receiving alerts.
Organizations with multiple private repositories can also enable the dependency graph across their repositories using a script enabling security alerts and automated security fixes.
What if you don’t want to receive alerts on those old PHP projects you wrote years ago? Archive them! Archived repositories send a signal to the rest of the community that they aren’t maintained and don’t receive security alerts.
If you’ve opted in to the automatic security fixes beta, you’ll receive pull requests for your vulnerable PHP dependencies when you receive security alerts. Learn more about automatic security fixes.
Organizations using GitHub Enterprise can also start leveraging dependency insights to view information about PHP dependencies. Dependency insights offers a summary of the dependency graph information across all repositories in an organization or across organizations. This makes it easy to identify where you may be using vulnerable dependencies, while providing information about a dependency’s license.
In November, we experienced one incident that resulted in degraded performance across GitHub services.
Whether you’re hunting for the perfect gift for your significant other, the colleague you drew in the office gift exchange, or maybe (just maybe) even for yourself, we’ve got you covered with our top 10 gifts that any developer would love.
The Gaady Awards are like the Emmy Awards for the field of digital accessibility. And, just like the Emmys, the Gaadys are a reason to celebrate! On November 21, GitHub was honored to roll out the red carpet for the accessibility community at our San Francisco headquarters.