You can see your project's dependencies, as well as any detected vulnerabilities, in the dependency graph.

The dependency graph is available for every public repository. Repository administrators can also set up the dependency graph for private repositories.

Tip: You can view and update vulnerable dependencies in your repository's dependency graph. The dependency graph lists vulnerable dependencies before other dependencies. For more information, see "About security alerts for vulnerable dependencies."

To enable the dependency graph for your project, your repository must define dependencies in a supported language using a supported file format.

Supported languages for dependencies and vulnerabilities detection Recommended file formats Supported file formats
Java pom.xml pom.xml
JavaScript package-lock.json package-lock.json, package.json
.NET .csproj, .vbproj, .nuspec .csproj, .vbproj, .nuspec
Python requirements.txt, pipfile.lock requirements.txt, pipfile.lock
Ruby Gemfile.lock Gemfile.lock,Gemfile, *.gemspec

Note: If you list your Python dependencies within a setup.py file, we may not be able to parse, list, and alert on every dependency in your project.

Listing dependencies for a repository with the dependency graph enabled

  1. On GitHub, navigate to the main page of the repository.

  2. Under your repository name, click Insights. Insights tab in the main repository navigation bar

  3. In the left sidebar, click Dependency graph. Dependency graph tab in the left sidebar

Enabling the dependency graph for a private repository

  1. On GitHub, navigate to the main page of the repository.

  2. Under your repository name, click Insights. Insights tab in the main repository navigation bar

  3. In the left sidebar, click Dependency graph. Dependency graph tab in the left sidebar

  4. Read the message about the granting GitHub access to repository data to enable the dependency graph, then click Allow access. Button to allow access to repository data to enable the dependency graph

For more information, see "Understanding how GitHub uses and protects your data."

Disabling the dependency graph for a private repository

  1. On GitHub, navigate to the main page of the repository.

  2. Under your repository name, click Settings. Repository settings button

  3. Under "Data services," unselect Dependency graph. Checkbox for disabling the dependency graph

To opt out of data use for your repository, see "Opting into or out of data use for your private repository."

Troubleshooting the dependency graph

If your project has dependencies, but no dependencies are detected in your graph, there may be a problem with the file containing your dependencies. Check your project's file to ensure that it's correctly formatted for the file type.

Further reading