It also reflects the current build set up and enables the dependency graph to report vulnerabilities in both direct and indirect dependencies. If you use these formats, your dependency graph is more accurate. The recommended formats explicitly define which versions are used for all direct and all indirect dependencies. Once enabled, the graph is automatically updated with every push to the repository and every push to other repositories in the graph. The graph is usually populated within minutes but this may take longer for repositories with many dependencies. When the dependency graph is first enabled, any manifest and lock files for supported ecosystems are parsed immediately.
For information about enabling or disabling it for private repositories, see " Exploring the dependencies of a repository." The dependency graph is automatically generated for all public repositories and you can choose to enable it for private repositories.
To generate a dependency graph, GitHub needs read-only access to the dependency manifest and lock files for a repository. For more information, see " Reviewing dependency changes in a pull request."
Explore the repositories your code depends on, and those that depend on it.This information is not reported for private repositories. Dependents includedįor public repositories, only public repositories that depend on it or on packages that it publishes are reported. If you use lock files, you also ensure that all contributors to the repository are using the same versions, which will make it easier for you to test and debug code. For the most reliable graph, you should use lock files (or their equivalent) because they define exactly which versions of the direct and indirect dependencies you currently use. The dependency graph identifies indirect dependencies either explicitly from a lock file or by checking the dependencies of your direct dependencies. Indirect dependencies of these direct dependencies, also known as transitive dependencies or sub-dependencies.Direct dependencies, that are explicitly defined in a manifest or lock file.The dependency graph includes all the dependencies of a repository that are detailed in the manifest and lock files, or their equivalent, for supported ecosystems. For more information, see " About dependency review." Dependencies included These indicate whether the dependencies contain vulnerabilities and, if so, the version of the dependency in which the vulnerability was fixed. When you create a pull request containing changes to dependencies that targets the default branch, GitHub uses the dependency graph to add dependency reviews to the pull request. For information on the supported ecosystems and manifest files, see " Supported package ecosystems" below. In addition, the graph is updated when anyone pushes a change to the repository of one of your dependencies. When you push a commit to GitHub that changes or adds a supported manifest or lock file to the default branch, the dependency graph is automatically updated. Dependents, the repositories and packages that depend on it.Dependencies, the ecosystems and packages it depends on.The dependency graph is a summary of the manifest and lock files stored in a repository. Repository administrators can also set up the dependency graph for private repositories. The dependency graph is available for every public repository that defines dependencies in a supported package ecosystem using a supported file format.