Skip to main content
ドキュメントには頻繁に更新が加えられ、その都度公開されています。本ページの翻訳はまだ未完成な部分があることをご了承ください。最新の情報については、英語のドキュメンテーションをご参照ください。本ページの翻訳に問題がある場合はこちらまでご連絡ください。
GitHub AEは、現在限定リリース中です。詳細については営業チームにお問い合わせください。

Troubleshooting the dependency graph

If the dependency information reported by the dependency graph is not what you expected, there are a number of points to consider, and various things you can check.

GitHub AE によって報告された依存関係の検出結果は、他のツールから返される結果とは異なる場合があります。 これには理由があり、GitHub がプロジェクトの依存関係をどのように決定するかを理解しておくと便利です。

Does the dependency graph only find dependencies in manifests and lockfiles?

The dependency graph includes information on dependencies that are explicitly declared in your environment. That is, dependencies that are specified in a manifest or a lockfile. The dependency graph generally also includes transitive dependencies, even when they aren't specified in a lockfile, by looking at the dependencies of the dependencies in a manifest file.

The dependency graph doesn't include "loose" dependencies. "Loose" dependencies are individual files that are copied from another source and checked into the repository directly or within an archive (such as a ZIP or JAR file), rather than being referenced by in a package manager’s manifest or lockfile.

Check: Is the missing dependency for a component that's not specified in the repository's manifest or lockfile?

Does the dependency graph detect dependencies specified using variables?

The dependency graph analyzes manifests as they’re pushed to GitHub. The dependency graph doesn't, therefore, have access to the build environment of the project, so it can't resolve variables used within manifests. If you use variables within a manifest to specify the name, or more commonly the version of a dependency, then that dependency will not be included in the dependency graph.

Check: Is the missing dependency declared in the manifest by using a variable for its name or version?

Are there limits which affect the dependency graph data?

Yes, the dependency graph has two categories of limits:

  1. Processing limits

    These affect the dependency graph displayed within GitHub and also prevent Dependabotアラート being created.

    Manifests over 0.5 MB in size are only processed for enterprise accounts. For other accounts, manifests over 0.5 MB are ignored and will not create Dependabotアラート.

    By default, GitHub will not process more than 20 manifests per repository. Dependabotアラート are not created for manifests beyond this limit. If you need to increase the limit, contact your enterprise owner.

  2. Visualization limits

    These affect what's displayed in the dependency graph within GitHub. However, they don't affect the Dependabotアラート that are created.

    The Dependencies view of the dependency graph for a repository only displays 100 manifests. Typically this is adequate as it is significantly higher than the processing limit described above. In situations where the processing limit is over 100, Dependabotアラート are still created for any manifests that are not shown within GitHub.

Check: Is the missing dependency in a manifest file that's over 0.5 MB, or in a repository with a large number of manifests?

Further reading