About the dependency graph
依赖项关系图是存储在存储库中的清单和锁定文件以及使用 依赖项提交 API 提交给存储库的任何依赖项的摘要。 对于每个存储库,它显示:
- 依赖项、它依赖的生态系统和包
- 依赖项,是指依赖于它的存储库和包
对于每个依赖项,可以看到版本、许可证信息、包含它的清单文件,以及它是否具有已知漏洞。 对于支持传递性依赖项的包生态系统,将显示依赖关系状态。你可以单击 ,然后选择“Show paths”,以查看引入该依赖项的传递路径。
还可以使用搜索栏搜索特定依赖项。 依赖项会自动排序,存在漏洞的包排在最上方。
For information on the supported ecosystems and manifest files, see 依赖项关系图支持的包生态系统.
When you create a pull request containing changes to dependencies that targets the default branch, GitHub uses the dependency graph to add dependency reviews to the pull request. These indicate whether the dependencies contain vulnerabilities and, if so, the version of the dependency in which the vulnerability was fixed. For more information, see Dependency review.
How the dependency graph is built
The dependency graph automatically parses dependencies by analyzing manifests and lock files in your repository. You can also submit data yourself. For more information, see 依赖项图如何识别依赖项.
Dependency graph availability
存储库管理员可以启用或禁用存储库的依赖关系图。 For more information, see 管理存储库的安全和分析设置.
存储库管理员可以启用或禁用存储库的依赖关系图。 See Enabling the dependency graph.
Dependents and "used by" data
For public repositories, the dependency graph lists dependents. These are other public repositories that depend on the repository or on packages that it publishes. This information is not reported for private repositories.
某些存储库在“ 代码 ”选项卡的边栏中有一个“使用者”部分。本部分显示对找到的包的公共引用数,并显示依赖项目的一些所有者的头像。 Clicking any item in this section takes you to the Dependents tab of the dependency graph.
Your repository will have a "Used by" section if:
- The dependency graph is enabled for the repository.
- Your repository contains a package that is published on a supported package ecosystem. See 依赖项关系图支持的包生态系统.
- Within the ecosystem, your package has a link to a public repository where the source is stored.
- More than 100 repositories depend on your package.
The "Used by" section represents a single package from the repository. If you have admin permissions to a repository that contains multiple packages, you can choose which package the "Used by" section represents. See 更改存储库的“使用者”数据.
What you can do with the dependency graph
You can use the dependency graph to:
- Explore the repositories your code depends on, and those that depend on it. For more information, see Exploring the dependencies of a repository.
- View a summary of the dependencies used in your organization's repositories in a single dashboard. For more information, see 查看组织中依赖项的见解.
- View and update vulnerable dependencies for your repository. For more information, see Dependabot alerts.
- See information about vulnerable dependencies in pull requests. For more information, see 审核拉取请求中的依赖项变更.
- Export a software bill of materials (SBOM) for audit or compliance purposes. This is a formal, machine-readable inventory of a project's dependencies. See Exporting a software bill of materials for your repository.