Article version: GitHub.com
Listing the packages that a repository depends on
You can see your project's dependencies, as well as any detected vulnerabilities, in the dependency graph.
In this article
- About the dependency graph
- Supported package ecosystems
- Listing dependencies for a repository with the dependency graph enabled
- Enabling the dependency graph for a private repository
- Disabling the dependency graph for a private repository
- Troubleshooting the dependency graph
- Further reading
Were you able to find what you were looking for?
Thank you! Your feedback has been submitted.
About the dependency graph
The dependency graph is available for every public repository that define dependencies in a supported package ecosystem using a supported file format. Repository administrators can also set up the dependency graph for private repositories.
You can view and update vulnerable dependencies in your repository's dependency graph. The dependency graph lists vulnerable dependencies before other dependencies. For more information, see "About security alerts for vulnerable dependencies."
You can view dependencies used in organization repositories in a single dashboard. For more information, see "Viewing insights for your organization."
Supported package ecosystems
| Package manager | Languages | Recommended formats | Supported formats |
|---|---|---|---|
| Maven | Java, Scala | pom.xml | pom.xml |
| npm | JavaScript | package-lock.json | package-lock.json, package.json |
| Yarn | JavaScript | yarn.lock | package.json, yarn.lock |
dotnet CLI | .NET languages (C#, C++, F#, VB) | .csproj, .vbproj, .nuspec, .vcxproj, .fsproj | .csproj, .vbproj, .nuspec, .vcxproj, .fsproj, packages.config |
| Python PIP | Python | requirements.txt, pipfile.lock | requirements.txt, pipfile.lock, setup.py* |
| RubyGems | Ruby | Gemfile.lock | Gemfile.lock,Gemfile, *.gemspec |
| Composer | PHP | composer.lock | composer.json, composer.lock |
Note: If you list your Python dependencies within a setup.py file, we may not be able to parse, list, and alert on every dependency in your project.
Listing dependencies for a repository with the dependency graph enabled
- On GitHub, navigate to the main page of the repository.
- Under your repository name, click Insights.
- In the left sidebar, click Dependency graph.
Enabling the dependency graph for a private repository
- On GitHub, navigate to the main page of the repository.
- Under your repository name, click Insights.
- In the left sidebar, click Dependency graph.
- Read the message about the granting GitHub access to repository data to enable the dependency graph, then click Allow access.
For more information, see "Understanding how GitHub uses and protects your data."
Disabling the dependency graph for a private repository
Note: The code scanning and secret scanning beta includes a new experience for managing security and analysis settings. If you're participating in the beta, skip the following steps and see "Managing security and analysis settings for your repository."
- On GitHub, navigate to the main page of the repository.
- Under your repository name, click
Settings.
- Under "Data services," unselect Dependency graph.
To opt out of data use for your repository, see "Opting into or out of data use for your private repository."
Troubleshooting the dependency graph
If your project has dependencies, but no dependencies are detected in your graph, there may be a problem with the file containing your dependencies. Check your project's file to ensure that it's correctly formatted for the file type.
Further reading
- "Listing the projects that depend on a repository"
- "Understanding how GitHub uses and protects your data"
- "Viewing and updating vulnerable dependencies in your repository"
Were you able to find what you were looking for?
Thank you! Your feedback has been submitted.