Skip to main content

Reviewing dependency changes in a pull request

If a pull request contains changes to dependencies, you can view a summary of what has changed and whether there are known vulnerabilities in any of the dependencies.

在公共存储库上启用了依赖项评审。 依赖项评审也可用于使用 GitHub Enterprise Cloud 并拥有 GitHub Advanced Security 的许可证的组织所拥有的专用存储库。 有关详细信息,请参阅“关于 GitHub Advanced Security”。

About dependency review

依赖项审查帮助您了解依赖项变化以及这些变化在每个拉取请求中的安全影响。 它提供了一个易于理解的依赖项变化可视化效果,多差异显示在拉取请求的“更改的文件”选项卡上。 依赖项审查告知您:

  • 哪些依赖项连同发行日期一起添加、删除或更新。
  • 有多少项目使用这些组件。
  • 这些依赖项的漏洞数据。

Dependency review allows you to "shift left". You can use the provided predictive information to catch vulnerable dependencies before they hit production. For more information, see "About dependency review."

You can use the dependency review action to help enforce dependency reviews on pull requests in your repository. dependency review action 扫描拉取请求中的依赖项更改,如果有任何新的依赖项存在已知漏洞,则会引发错误。 API 终结点支持此操作,该终结点比较两个修订之间的依赖关系,并报告任何差异。

有关操作和 API 终结点的详细信息,请参阅 API 文档中的“关于依赖项审查”和“依赖项审查”。

You can configure the dependency review action to better suit your needs by specifying the type of dependency vulnerability you wish to catch. For more information, see "Configuring dependency review."

Reviewing dependencies in a pull request

  1. 在存储库名称下,单击 “拉取请求”。 问题和拉取请求选项卡选择

  2. 在拉取请求列表中,单击要审查的拉取请求。

  3. On the pull request, click Files changed. Pull Request Files changed tab

  4. If the pull request contains many files, use the File filter drop-down menu to collapse all files that don't record dependencies. This will make it easier to focus your review on the dependency changes.

    The file filter menu The dependency review provides a clearer view of what has changed in large lock files, where the source diff is not rendered by default.

    Note: Dependency review rich diffs are not available for committed static JavaScript files like jquery.js.

  5. On the right of the header for a manifest or lock file, display the dependency review by clicking the rich diff button.

    The rich diff button

  6. Check the dependencies listed in the dependency review.

    Vulnerability warnings in a dependency review

    Any added or changed dependencies that have vulnerabilities are listed first, ordered by severity and then by dependency name. This means that the highest severity dependencies are always at the top of a dependency review. Other dependencies are listed alphabetically by dependency name.

    The icon beside each dependency indicates whether the dependency has been added (), updated (), or removed () in this pull request.

    Other information includes:

    • The version, or version range, of the new, updated, or deleted dependency.
    • For a specific version of a dependency:
      • The age of that release of the dependency.
      • The number of projects that are dependent on this software. This information is taken from the dependency graph. Checking the number of dependents can help you avoid accidentally adding the wrong dependency.
      • The license used by this dependency, if this information is available. This is useful if you want to avoid code with certain licenses being used in your project.

    Where a dependency has a known vulnerability, the warning message includes:

    • A brief description of the vulnerability.
    • A Common Vulnerabilities and Exposures (CVE) or GitHub Security Advisories (GHSA) identification number. You can click this ID to find out more about the vulnerability.
    • The severity of the vulnerability.
    • The version of the dependency in which the vulnerability was fixed. If you are reviewing a pull request for someone, you might ask the contributor to update the dependency to the patched version, or a later release.
  7. 您可能还想查看源差异,因为清单或锁定文件可能会发生变化,但不会更改依赖项,也可能存在 GitHub 无法解析的依赖项,因此,这些依赖项不会显示在依赖项审核中。

    要返回到源差异视图,请单击 按钮。