The dependency graph today uses manifest parsing to understand the set of dependencies in a repository. This approach has some shortcomings: we can't easily support complex dependency systems which use executable code in the build to resolve dependencies (like Gradle), and users of an ecosystem need to wait for GitHub to add support for it.
The dependency submission API will allow users to upload details of their dependencies directly, via an API request. It will be designed to work with the output of build tools and package managers. The dependency graph will store this data and, if an ecosystem is supported in the advisory database, GitHub will send alerts if/when a vulnerable dependency is present.
This release will be a public beta.
The dependency graph today uses manifest parsing to understand the set of dependencies in a repository. This approach has some shortcomings: we can't easily support complex dependency systems which use executable code in the build to resolve dependencies (like Gradle), and users of an ecosystem need to wait for GitHub to add support for it.
The dependency submission API will allow users to upload details of their dependencies directly, via an API request. It will be designed to work with the output of build tools and package managers. The dependency graph will store this data and, if an ecosystem is supported in the advisory database, GitHub will send alerts if/when a vulnerable dependency is present.
This release will be a public beta.