GitHub Launches New Dependency Graph Feature with Security Alerts Coming Soon

GitHub announced a new Dependency Graph feature at the Github Universe conference yesterday. It lists all the dependencies for a repository and will soon identify known vulnerabilities. The graph can be accessed under the Insights tab and currently supports Ruby and JavaScript dependencies with Python coming soon.

Public repositories display the graph by default and private repository owners also have the option to enable it. Below is a screenshot of Gutenberg’s dependency graph:

GitHub plans to extend dependency graphs to show security alerts when one of the dependencies is using a version that is publicly known to be vulnerable to a security issue. The alerts may also in some cases be able to suggest a security fix. Security alerts for dependencies is the first among a collection of security tools that GitHub has planned to release.

The dependency graph isn’t yet as useful as it could be for many PHP-based WordPress projects, but GitHub’s decision to start with support for JavaScript and Ruby dependencies is in line with the data the company collected from repositories. JavaScript and Ruby are among the top four most popular languages on GitHub, as measured by the number of pull requests. JavaScript is by far the most popular and PHP isn’t too far behind Ruby, according to stats from the State of the Octoverse 2017.

GitHub is also launching new efforts to connect its massive community. The company reported 24 million developers working across 67 million repositories in 2017. The new community features are aimed at helping developers make meaningful connections in the vast sea of repositories on the platform. Users will notice a new “Discover Repositories” feed in their dashboards that makes recommendations based on their starred repositories and the people they follow.

GitHub has also launched a new curated Explore section to help users browse open source projects, topics, events, and resources.

2 Comments


  1. This is an interesting development. I wrote about the dependency hell before in ref to Gutenberg and how it can be a security/licensing concern if not taken care of with the right tools.

    Happy to see GitHub is stepping up their game to address this issue.

    Report

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *