Skip to main content

About dependency review

Dependency review lets you catch insecure dependencies before you introduce them to your environment, and provides information on license, dependents, and age of dependencies.

A revisão de dependência está habilitada em repositórios públicos. A revisão de dependência também está disponível em repositórios privados pertencentes a organizações que usam o GitHub Enterprise Cloud e que têm uma licença do GitHub Advanced Security. Para obter mais informações, confira "Sobre o GitHub Advanced Security".

About dependency review

Revisão de dependências ajuda você a entender as alterações de dependência e o impacto de segurança dessas alterações em cada pull request. Ele fornece uma visualização facilmente compreensível de mudanças de dependência, com um diff avançado na aba "Arquivos alterados" de uma solicitação de pull. A revisão de dependências informa você:

  • Quais dependências foram adicionadas, removidas ou atualizadas, junto com as datas de versão.
  • Quantos projetos usam esses componentes.
  • Dados de vulnerabilidade para essas dependências.

If a pull request targets your repository's default branch and contains changes to package manifests or lock files, you can display a dependency review to see what has changed. The dependency review includes details of changes to indirect dependencies in lock files, and it tells you if any of the added or updated dependencies contain known vulnerabilities.

Sometimes you might just want to update the version of one dependency in a manifest and generate a pull request. However, if the updated version of this direct dependency also has updated dependencies, your pull request may have more changes than you expected. The dependency review for each manifest and lock file provides an easy way to see what has changed, and whether any of the new dependency versions contain known vulnerabilities.

By checking the dependency reviews in a pull request, and changing any dependencies that are flagged as vulnerable, you can avoid vulnerabilities being added to your project. For more information about how dependency review works, see "Reviewing dependency changes in a pull request."

For more information about configuring dependency review, see "Configuring dependency review."

Dependabot alerts will find vulnerabilities that are already in your dependencies, but it's much better to avoid introducing potential problems than to fix problems at a later date. For more information about Dependabot alerts, see "About Dependabot alerts."

Dependency review supports the same languages and package management ecosystems as the dependency graph. For more information, see "About the dependency graph."

For more information on supply chain features available on GitHub, see "About supply chain security."

Dependency review enforcement

The action is available for all public repositories, as well as private repositories that have GitHub Advanced Security enabled.

You can use the dependency review action in your repository to enforce dependency reviews on your pull requests. The action scans for vulnerable versions of dependencies introduced by package version changes in pull requests, and warns you about the associated security vulnerabilities. This gives you better visibility of what's changing in a pull request, and helps prevent vulnerabilities being added to your repository. For more information, see dependency-review-action.

Dependency review action example

By default, the dependency review action check will fail if it discovers any vulnerable packages. A failed check blocks a pull request from being merged when the repository owner requires the dependency review check to pass. For more information, see "About protected branches."

The action uses the Dependency Review REST API to get the diff of dependency changes between the base commit and head commit. You can use the Dependency Review API to get the diff of dependency changes, including vulnerability data, between any two commits on a repository. For more information, see "Dependency review."

You can configure the dependency review action to better suit your needs. For example, you can specify the severity level that will make the action fail, or set an allow or deny list for licenses to scan. For more information, see "Configuring dependency review."