Skip to main content
ドキュメントには頻繁に更新が加えられ、その都度公開されています。本ページの翻訳はまだ未完成な部分があることをご了承ください。最新の情報については、英語のドキュメンテーションをご参照ください。本ページの翻訳に問題がある場合はこちらまでご連絡ください。

About dependency review

Dependency review lets you catch insecure dependencies before you introduce them to your environment, and provides information on license, dependents, and age of dependencies.

Dependency review is available for organization-owned repositories in GitHub Enterprise Server. This feature requires a license for GitHub Advanced Security. 詳しい情報については、「GitHub Advanced Security について」を参照してください。

About dependency review

依存関係レビューを使うと、すべてのPull Reqeustにおける以下の変更による依存関係の変化とセキュリティについての影響を理解しやすくなります。 Pull Requestの"Files Changed(変更されたファイル)"タブ上のリッチdiffで、依存関係の変化を理解しやすく可視化します。 依存関係レビューは、以下のことを知らせます:

  • リリース日と合わせて、追加、削除、更新された依存関係。
  • これらのコンポーネントを使うプロジェクトの数。
  • これらの依存関係に関する脆弱性のデータ。

If a pull request targets your repository's default branch and contains changes to package manifests or lock files, you can display a dependency review to see what has changed. The dependency review includes details of changes to indirect dependencies in lock files, and it tells you if any of the added or updated dependencies contain known vulnerabilities.

Sometimes you might just want to update the version of one dependency in a manifest and generate a pull request. However, if the updated version of this direct dependency also has updated dependencies, your pull request may have more changes than you expected. The dependency review for each manifest and lock file provides an easy way to see what has changed, and whether any of the new dependency versions contain known vulnerabilities.

By checking the dependency reviews in a pull request, and changing any dependencies that are flagged as vulnerable, you can avoid vulnerabilities being added to your project. For more information about how dependency review works, see "Reviewing dependency changes in a pull request."

For more information about configuring dependency review, see "Configuring dependency review."

Dependabotアラート will find vulnerabilities that are already in your dependencies, but it's much better to avoid introducing potential problems than to fix problems at a later date. For more information about Dependabotアラート, see "About Dependabotアラート."

Dependency review supports the same languages and package management ecosystems as the dependency graph. For more information, see "About the dependency graph."

For more information on supply chain features available on GitHub Enterprise Server, see "About supply chain security."

Enabling dependency review

The dependency review feature becomes available when you enable the dependency graph. For more information, see "Enabling the dependency graph for your enterprise."