Viewing the dependency graph
The dependency graph shows the dependencies and dependents of your repository. For each dependency, you can see the version, license information, the manifest file which included it, and whether it has known vulnerabilities. For package ecosystems supporting transitive dependencies, the relationship status will be displayed and the disclosure button ... will show the transitive path which brought in the dependency. For more information about transitive dependency support, see Dependency graph supported package ecosystems.
You can also search for a specific dependency using the search bar. Dependencies are sorted automatically with vulnerabilities at the top. For information about the detection of dependencies and which ecosystems are supported, see Dependency graph supported package ecosystems.
-
On GitHub, navigate to the main page of the repository.
-
Under your repository name, click Insights.
-
In the left sidebar, click Dependency graph.
-
Optionally, use the search bar to find a specific dependency or set of dependencies. You can use the keywords
ecosystem:to show only packages of a certain type, orrelationship:to show only direct or transitive dependencies (if the ecosystem supports transitivity). Plain words in search bar will only match package names. -
Optionally, to view the repositories and packages that depend on your repository, under "Dependency graph", click Dependents.
Note
GitHub currently only determines dependents for public repositories.
Dependencies view
For each dependency, you can see its ecosystem, the manifest file in which it was found, and its license (where detected).
-
Dependencies for private repositories, private packages, or unrecognized files are shown in plain text.
-
If the package manager for the dependency is in a public repository, you can hover on the dependency name to display a pop-up with the associated repository information.
-
You can sort and filter dependencies by typing filters as
key:valuepairs into the search bar.- Use
ecosystem: <ecosystem-name>to display dependencies for the selected ecosystem. - Use
relationship:to filter the list by relationship status. Possible values aredirect,transitive, andinconclusive. Alternatively, you can click the relationship label adjacent to a dependency name to only show dependencies of the same relationship status. This filter is only available for ecosystems with transitive dependency support. See Dependency graph supported package ecosystems for more information.
- Use
Dependencies submitted to a project using the dependency submission API will show which detector was used for their submission and when they were submitted. For more information on using the dependency submission API, see Using the dependency submission API.
If vulnerabilities have been detected in the repository, these are shown at the top of the view for users with access to Dependabot alerts.
Dependents view
For public repositories, the dependents view shows how the repository is used by other repositories. To show only the repositories that contain a library in a package manager, click NUMBER Packages immediately above the list of dependent repositories. The dependent counts are approximate and may not always match the dependents listed.
Enabling and disabling the dependency graph
Repository administrators can enable or disable the dependency graph for private repositories, or public forks.
You can enable or disable the dependency graph for all repositories owned by your user account. For more information, see Managing security and analysis settings for your personal account.
You can also enable the dependency graph for multiple repositories in an organization at the same time. For more information, see Securing your organization.
-
On GitHub, navigate to the main page of the repository.
-
Under your repository name, click Settings. If you cannot see the "Settings" tab, select the dropdown menu, then click Settings.
-
In the "Security" section of the sidebar, click Code security.
-
Read the message about granting GitHub read-only access to the repository data to enable the dependency graph, then next to "Dependency Graph", click Enable.
You can disable the dependency graph at any time by clicking Disable next to "Dependency Graph" on the settings page for "Code security and analysis."
Changing the "Used by" package
You may notice some repositories have a "Used by" section in the sidebar of the Code tab. Your repository will have a "Used by" section if:
- The dependency graph is enabled for the repository (see the above section for more details).
- Your repository contains a package that is published on a supported package ecosystem.
- Within the ecosystem, your package has a link to a public repository where the source is stored.
- More than 100 repositories depend on your package.
The "Used by" section shows the number of public references to the package that were found, and displays the avatars of some of the owners of the dependent projects.
Clicking any item in this section takes you to the Dependents tab of the dependency graph.
The "Used by" section represents a single package from the repository. If you have admin permissions to a repository that contains multiple packages, you can choose which package the "Used by" section represents.
-
On GitHub, navigate to the main page of the repository.
-
Under your repository name, click Settings. If you cannot see the "Settings" tab, select the dropdown menu, then click Settings.
-
In the "Security" section of the sidebar, click Code security.
-
Under "Code security", click the drop-down menu in the "Used by counter" section and choose a package.