GitHub的依赖图是软件开发者的强大助手，它清晰展现了代码所依赖的外部软件包，帮助用户全面了解、管理并保护项目。通过可视化呈现直接和间接的依赖关系，开发者能够识别潜在的安全漏洞，并利用Dependabot进行自动化修复。依赖图揭示了代码库中大量由他人贡献的代码，让开发者对软件供应链有更深入的理解，从而提升软件项目的安全性。

🧐 依赖图的核心功能是可视化呈现软件项目的依赖关系，包括直接和间接的依赖。它就像代码的“家谱”，清晰展示了每个软件包之间的关系，帮助开发者理解项目的真实构成。

🚨 依赖图是Dependabot的基础，当依赖项中发现安全问题时，GitHub会向用户发出警报。用户可以全面了解供应链中的风险，并采取相应措施。

💡 通过依赖图，开发者可以区分直接依赖和传递依赖，更容易追踪软件包的来源，例如Log4j。这有助于开发者明确哪些问题需要自己修复，哪些需要上游维护者处理。

✅ 依赖图对所有公共仓库免费，私有仓库则需要GitHub高级安全功能才能使用Dependabot警报，但依赖图本身是免费的。同时，社区维护的Actions可以生成软件物料清单（SBOM），并提交给GitHub的依赖提交API。

What if you could spot the weakest link in your software supply chain before it breaks?

With GitHub’s dependency graph, you can. By providing a clear, complete view of the external packages your code depends on, both directly and indirectly, it allows you to understand, secure, and manage your project’s true footprint.

If you’re like me and sometimes lose track of what’s actually powering your applications (we’ve all been there!), GitHub’s dependency graph is about to become your new best friend. 

What is the dependency graph?

Here’s the thing: Every modern software project is basically an iceberg. That small manifest file with your direct dependencies seems quite harmless at first glance. But underneath? There’s this massive, hidden world of transitive dependencies that most of us never think about. The GitHub dependency graph maps this entire underwater world. Think of it like a family tree, but for your code. Each package is a family member, and each dependency relationship shows who’s related to whom (and trust me, some of these family trees get really complicated).

Each package is a node. Each dependency relationship is an edge. The result? A full visual and structured representation of your software’s external codebase.

In some cases, 95–97% of your code is actually someone else’s. The dependency graph helps you make sense of that reality.

GitHub engineer Eric Sorenson

Let that sink in for a moment. We’re basically curators of other people’s work, and the dependency graph finally helps us make sense of that reality.

Why it matters

When vulnerabilities are discovered in open source packages, the consequences ripple downstream. If you don’t know a vulnerable dependency is part of your project, it’s hard to take action.

The dependency graph isn’t just a cool visualization (though it is pretty neat to look at). It’s the foundation that makes Dependabot alerts possible. When a security issue is found in any of your dependencies (even a transitive one), GitHub notifies you. You get the full picture of what’s in your supply chain, how it got there, and what you can actually do about it.

See it in action: From 21 to 1,000 dependencies

Eric showed us a project that looked innocent enough:

21 direct dependencies (the ones actually listed in package.json)1,000 total dependencies (including everything that got pulled in along the way)

With the dependency graph, you can finally:

Understand which dependencies are direct vs. transitiveTrace how a package like Log4j ended up in your codebase. (Spoiler: it probably came along for the ride with something else.)Know what’s yours to fix and what depends on an upstream maintainer

Tighten your supply chain with Dependabot

Dependabot runs on top of the dependency graph—so enabling the graph is what makes Dependabot’s vulnerability alerts and automatic fix suggestions possible. 

Pro tip: Filter for direct dependencies first. These are the ones you can actually control, so focus your energy there instead of pulling your hair out over transitive dependencies that are someone else’s responsibility.

How to enable the dependency graph

You can enable the dependency graph in your repository settings under Security > Dependency Graph. If you turn on Dependabot, the graph will be enabled automatically.

Using GitHub Actions? Community-maintained actions can generate a Software Bill of Materials (SBOM) and submit it to GitHub’s Dependency submission API, even if your language ecosystem doesn’t support auto-discovery.

✅ The best part? Dependency graph is free for all public repositories. Private repos need GitHub Advanced Security to use Dependabot alerts, but the graph itself is free.

TL;DR

You can’t secure what you can’t see. GitHub’s dependency graph gives you visibility into the 90%+ of your codebase that comes from open source libraries and helps you take action when it counts.

Enable it today (seriously, do it now)Use it with Dependabot for automated alerts and fixesFinally discover what’s actually in your software supply chain

Your future self (and your security team) will thank you.

The post Understand your software’s supply chain with GitHub’s dependency graph appeared first on The GitHub Blog.