Skip to main content

此版本的 GitHub Enterprise 将停止服务 2022-10-12. 即使针对重大安全问题,也不会发布补丁。 为了获得更好的性能、更高的安全性和新功能,请升级到最新版本的 GitHub Enterprise。 如需升级帮助,请联系 GitHub Enterprise 支持

About dependency review

Dependency review lets you catch insecure dependencies before you introduce them to your environment, and provides information on license, dependents, and age of dependencies.

依赖项评审可用于 GitHub Enterprise Server 中的组织拥有的存储库。 此功能需要 GitHub Advanced Security 的许可证。 有关详细信息,请参阅“关于 GitHub Advanced Security”。

注意:依赖项评审目前以 beta 版本提供,并且可能会发生更改。

About dependency review

依赖项审查帮助您了解依赖项变化以及这些变化在每个拉取请求中的安全影响。 它提供了一个易于理解的依赖项变化视图,多差异显示在拉取请求的“Files Changed(更改的文件)”选项卡上。 依赖项审查告知您:

  • 哪些依赖项连同发行日期一起添加、删除或更新。
  • 有多少项目使用这些组件。
  • 这些依赖项的漏洞数据。

If a pull request targets your repository's default branch and contains changes to package manifests or lock files, you can display a dependency review to see what has changed. The dependency review includes details of changes to indirect dependencies in lock files, and it tells you if any of the added or updated dependencies contain known vulnerabilities.

Sometimes you might just want to update the version of one dependency in a manifest and generate a pull request. However, if the updated version of this direct dependency also has updated dependencies, your pull request may have more changes than you expected. The dependency review for each manifest and lock file provides an easy way to see what has changed, and whether any of the new dependency versions contain known vulnerabilities.

By checking the dependency reviews in a pull request, and changing any dependencies that are flagged as vulnerable, you can avoid vulnerabilities being added to your project. For more information about how dependency review works, see "Reviewing dependency changes in a pull request."

For more information about configuring dependency review, see "Configuring dependency review."

Dependabot alerts will find vulnerabilities that are already in your dependencies, but it's much better to avoid introducing potential problems than to fix problems at a later date. For more information about Dependabot alerts, see "About Dependabot alerts."

Dependency review supports the same languages and package management ecosystems as the dependency graph. For more information, see "About the dependency graph."

For more information on supply chain features available on GitHub Enterprise Server, see "About supply chain security."

Enabling dependency review

The dependency review feature becomes available when you enable the dependency graph. For more information, see "Enabling the dependency graph for your enterprise."