Merge pull request #27225 from github/repo-sync

Repo sync
2026-01-06 15:01:04 -05:00 · 2023-08-02 07:33:32 -07:00
parent 1e2869e12c 59e2eb01c7
commit 46d1fd3c10
4 changed files with 28 additions and 17 deletions
--- a/content/code-security/supply-chain-security/understanding-your-software-supply-chain/about-the-dependency-graph.md
+++ b/content/code-security/supply-chain-security/understanding-your-software-supply-chain/about-the-dependency-graph.md
@@ -88,6 +88,9 @@ The recommended formats explicitly define which versions are used for all direct
 | Maven | Java, Scala |  `pom.xml`  | `pom.xml`  |
 | npm | JavaScript |            `package-lock.json` | `package-lock.json`, `package.json`|
 | pip             | Python                    | `requirements.txt`, `pipfile.lock` | `requirements.txt`, `pipfile`, `pipfile.lock`, `setup.py` |
+{%- ifversion dependabot-dependency-graph-pnpm %}
+| pnpm             | JavaScript                    | `pnpm-lock.yaml` | `package.json`, `pnpm-lock.yaml` |
+{%- endif %}
 {%- ifversion dependency-graph-dart-support %}
 | pub             | Dart                    | `pubspec.lock` | `pubspec.yaml`, `pubspec.lock` |
 {%- endif %}
--- a/data/features/dependabot-dependency-graph-pnpm.yml
+++ b/data/features/dependabot-dependency-graph-pnpm.yml
@@ -0,0 +1,5 @@
+# Reference: Issue #9297 - Dependabot alerts and dependency graph support for pnpm
+versions:
+  fpt: '*'
+  ghec: '*'
+  ghes: '>3.10'
--- a/data/reusables/dependabot/dependabot-alerts-dependency-scope.md
+++ b/data/reusables/dependabot/dependabot-alerts-dependency-scope.md
@@ -2,26 +2,27 @@ The table below summarizes whether dependency scope is supported for various eco

 | **Language** | **Ecosystem** | **Manifest file** | **Dependency scope supported** |
 |:---|:---:|:---:|:---|{% ifversion dependency-graph-dart-support %}
-| Dart | pub | pubspec.yaml |  ✔ |
-| Dart | pub | pubspec.lock |  ✔ |{% endif %}
+| Dart | pub | pubspec.yaml |  {% octicon "check" aria-label="Supported" %} |
+| Dart | pub | pubspec.lock |  {% octicon "check" aria-label="Supported" %} |{% endif %}
 | Go | Go modules | go.mod | No, defaults to runtime |{% ifversion ghes < 3.9 or ghae < 3.9 %}
 | Go | Go modules | go.sum | No, defaults to runtime |{% endif %}
-| Java | Maven | pom.xml | ✔ `test` maps to development, else scope defaults to runtime |
-| JavaScript | npm | package.json | ✔ |
-| JavaScript | npm | package-lock.json | ✔ |
+| Java | Maven | pom.xml | {% octicon "check" aria-label="Supported" %} `test` maps to development, else scope defaults to runtime |
+| JavaScript | npm | package.json | {% octicon "check" aria-label="Supported" %} |
+| JavaScript | npm | package-lock.json | {% octicon "check" aria-label="Supported" %} |{% ifversion dependabot-dependency-graph-pnpm %}
+| JavaScript | npm | pnpm-lock.yaml | {% octicon "check" aria-label="Supported" %} |{% endif %}
 | JavaScript |	yarn v1 | yarn.lock | No, defaults to runtime |
-| PHP | Composer | composer.json | ✔ |
-| PHP | Composer | composer.lock | ✔ |
-| Python | Poetry | poetry.lock | ✔ |
-| Python | Poetry | pyproject.toml | ✔ |
-| Python | pip | requirements.txt | ✔ Scope is development if the filename contains `test` or `dev`, else it is runtime |
-| Python | pip | pipfile.lock | ✔ |
-| Python | pip | pipfile | ✔ |
-| Ruby | RubyGems | Gemfile |	✔ |
+| PHP | Composer | composer.json | {% octicon "check" aria-label="Supported" %} |
+| PHP | Composer | composer.lock | {% octicon "check" aria-label="Supported" %} |
+| Python | Poetry | poetry.lock | {% octicon "check" aria-label="Supported" %} |
+| Python | Poetry | pyproject.toml | {% octicon "check" aria-label="Supported" %} |
+| Python | pip | requirements.txt | {% octicon "check" aria-label="Supported" %} Scope is development if the filename contains `test` or `dev`, else it is runtime |
+| Python | pip | pipfile.lock | {% octicon "check" aria-label="Supported" %} |
+| Python | pip | pipfile | {% octicon "check" aria-label="Supported" %} |
+| Ruby | RubyGems | Gemfile |	{% octicon "check" aria-label="Supported" %} |
 | Ruby | RubyGems | Gemfile.lock	| No, defaults to runtime |
-| Rust | Cargo | Cargo.toml | ✔ |
+| Rust | Cargo | Cargo.toml | {% octicon "check" aria-label="Supported" %} |
 | Rust | Cargo | Cargo.lock | No, defaults to runtime |
 | YAML | GitHub Actions | - | No, defaults to runtime |
 | .NET (C#, F#, VB, etc.) | NuGet | .csproj / .vbproj .vcxproj / .fsproj | No, defaults to runtime |
 | .NET | NuGet | packages.config | No, defaults to runtime |
-| .NET | NuGet | .nuspec | ✔ When the tag != runtime |
+| .NET | NuGet | .nuspec | {% octicon "check" aria-label="Supported" %} When the tag != runtime |
--- a/data/reusables/dependabot/supported-package-managers.md
+++ b/data/reusables/dependabot/supported-package-managers.md
@@ -81,10 +81,12 @@ In order for {% data variables.product.prodname_dependabot %} to fetch Docker me
 In addition to supporting updates to `requirements.txt` files, {% data variables.product.prodname_dependabot %} supports updates to `pyproject.toml` files if they follow the PEP 621 standard.
 {% endif %}

-{% ifversion dependabot-updates-pnpm-support %}
-
 #### pnpm

+{% ifversion dependabot-dependency-graph-pnpm %}
+pnpm is supported for {% data variables.product.prodname_dependabot_version_updates %} and {% data variables.product.prodname_dependabot_security_updates %}.
+
+{% else %}
 pnpm is supported for {% data variables.product.prodname_dependabot_version_updates %} only. {% data variables.product.prodname_dependabot_security_updates %} are not currently supported.
 {% endif %}