Skip to main content

Diese Version von GitHub Enterprise Server wurde eingestellt am 2024-09-25. Es wird keine Patch-Freigabe vorgenommen, auch nicht für kritische Sicherheitsprobleme. Für bessere Leistung, verbesserte Sicherheit und neue Features aktualisiere auf die neueste Version von GitHub Enterprise Server. Wende dich an den GitHub Enterprise-Support, um Hilfe zum Upgrade zu erhalten.

Abhängigkeitsdiagramm unterstützte Paket-Ökosysteme

Abhängigkeitsdiagramm unterstützt eine Vielzahl von Ökosystemen.

About the dependency graph

The dependency graph is a summary of the manifest and lock files stored in a repository and any dependencies that are submitted for the repository using the dependency submission API. For each repository, it shows dependencies, the ecosystems and packages it depends on.

GitHub Enterprise Server does not retrieve license information for dependencies, and does not calculate information about dependents, the repositories and packages that depend on a repository. For more information, see "About the dependency graph."

In this article, you can see what the supported ecosystems are.

Supported package ecosystems

The recommended formats explicitly define which versions are used for all direct and all indirect dependencies. If you use these formats, your dependency graph is more accurate. It also reflects the current build set up and enables the dependency graph to report vulnerabilities in both direct and indirect dependencies.

Package managerLanguagesRecommended formatsAll supported formats
CargoRustCargo.lockCargo.toml, Cargo.lock
ComposerPHPcomposer.lockcomposer.json, composer.lock
NuGet.NET languages (C#, F#, VB), C++.csproj, .vbproj, .nuspec, .vcxproj, .fsproj.csproj, .vbproj, .nuspec, .vcxproj, .fsproj, packages.config
GitHub Actions workflowsYAML.yml, .yaml.yml, .yaml
Go modulesGogo.modgo.mod
MavenJava, Scalapom.xmlpom.xml
npmJavaScriptpackage-lock.jsonpackage-lock.json, package.json
pipPythonrequirements.txt, pipfile.lockrequirements.txt, pipfile, pipfile.lock, setup.py
pubDartpubspec.lockpubspec.yaml, pubspec.lock
Python PoetryPythonpoetry.lockpoetry.lock, pyproject.toml
RubyGemsRubyGemfile.lockGemfile.lock, Gemfile, *.gemspec
Swift Package ManagerSwiftPackage.resolvedPackage.resolved
YarnJavaScriptyarn.lockpackage.json, yarn.lock

Note

  • If you list your Python dependencies within a setup.py file, we may not be able to parse and list every dependency in your project.
  • GitHub Actions workflows must be located in the .github/workflows/ directory of a repository to be recognized as manifests. Any actions or workflows referenced using the syntax jobs[*].steps[*].uses or jobs.<job_id>.uses will be parsed as dependencies. For more information, see "Workflow syntax for GitHub Actions."
  • Dependabot will only create Dependabot alerts for vulnerable GitHub Actions that use semantic versioning. You will not receive alerts for a vulnerable action that uses SHA versioning. If you use GitHub Actions with SHA versioning, we recommend enabling Dependabot version updates for your repository or organization to keep the actions you use updated to the latest versions. For more information, see "About Dependabot alerts" and "About Dependabot version updates."

Package ecosystems supported via dependency submission actions

You can use the dependency submission API to add build-time dependencies to the dependency graph, or to add dependencies from package managers and ecosystems of your choice to the dependency graph, even if the ecosystem is not in the supported ecosystem list above. Dependency information from these submitted dependencies will, in turn, flow into Dependabot updates and Dependabot alerts.

The dependency graph will display the submitted dependencies grouped by ecosystem, but separately from the dependencies parsed from manifest or lock files. For more information on the dependency submission API, see "Using the dependency submission API."

You typically use the dependency submission API in a GitHub Actions workflow to submit dependencies for your project when your project is built. The simplest way to use the dependency submission API is by adding a pre-made action to your repository that will gather and convert the list of dependencies to the required snapshot format and submit the list to the API. You can find links to the currently available actions in the table below.

EcosystemAction
GoGo Dependency Submission
GradleGradle Dependency Submission
MavenMaven Dependency Tree Dependency Submission
MillMill Dependency Submission
ScalaSbt Dependency Submission
NuGet and othersComponent Detection dependency submission action

Note

For the Component Detection dependency submission action, other supported ecosystems include Vcpkg, Conan, Conda, Crates, as well as NuGet.

For example, the following Go Dependency Submission workflow calculates the dependencies for a Go build-target (a Go file with a main function) and submits the list to the dependency submission API.

name: Go Dependency Submission
on:
  push:
    branches:
      - main

# The API requires write permission on the repository to submit dependencies
permissions:
  contents: write

# Environment variables to configure Go and Go modules. Customize as necessary
env:
  GOPROXY: '' # A Go Proxy server to be used
  GOPRIVATE: '' # A list of modules are considered private and not requested from GOPROXY
jobs:
  go-action-detection:
    runs-on: ubuntu-latest
    steps:
      - name: 'Checkout Repository'
        uses: actions/checkout@v4

      - uses: actions/setup-go@v5
        with:
          go-version: ">=1.18.0"

      - name: Run snapshot action
        uses: actions/go-dependency-submission@v1
        with:
            # Required: Define the repo path to the go.mod file used by the
            # build target
            go-mod-path: go-example/go.mod
            #
            # Optional. Define the repo path of a build target,
            # a file with a `main()` function.
            # If undefined, this action will collect all dependencies
            # used by all build targets for the module. This may
            # include Go dependencies used by tests and tooling.
            go-build-target: go-example/cmd/octocat.go

You can also create your own action. For more information, see "Using the dependency submission API."