diff --git a/content/code-security/supply-chain-security/understanding-your-software-supply-chain/about-the-dependency-graph.md b/content/code-security/supply-chain-security/understanding-your-software-supply-chain/about-the-dependency-graph.md index 1677bce882..81703c0bc2 100644 --- a/content/code-security/supply-chain-security/understanding-your-software-supply-chain/about-the-dependency-graph.md +++ b/content/code-security/supply-chain-security/understanding-your-software-supply-chain/about-the-dependency-graph.md @@ -88,6 +88,9 @@ The recommended formats explicitly define which versions are used for all direct | Maven | Java, Scala | `pom.xml` | `pom.xml` | | npm | JavaScript | `package-lock.json` | `package-lock.json`, `package.json`| | pip | Python | `requirements.txt`, `pipfile.lock` | `requirements.txt`, `pipfile`, `pipfile.lock`, `setup.py` | +{%- ifversion dependabot-dependency-graph-pnpm %} +| pnpm | JavaScript | `pnpm-lock.yaml` | `package.json`, `pnpm-lock.yaml` | +{%- endif %} {%- ifversion dependency-graph-dart-support %} | pub | Dart | `pubspec.lock` | `pubspec.yaml`, `pubspec.lock` | {%- endif %} diff --git a/data/features/dependabot-dependency-graph-pnpm.yml b/data/features/dependabot-dependency-graph-pnpm.yml new file mode 100644 index 0000000000..9471a4cce8 --- /dev/null +++ b/data/features/dependabot-dependency-graph-pnpm.yml @@ -0,0 +1,5 @@ +# Reference: Issue #9297 - Dependabot alerts and dependency graph support for pnpm +versions: + fpt: '*' + ghec: '*' + ghes: '>3.10' diff --git a/data/reusables/dependabot/dependabot-alerts-dependency-scope.md b/data/reusables/dependabot/dependabot-alerts-dependency-scope.md index 8da582f415..d74a665223 100644 --- a/data/reusables/dependabot/dependabot-alerts-dependency-scope.md +++ b/data/reusables/dependabot/dependabot-alerts-dependency-scope.md @@ -2,26 +2,27 @@ The table below summarizes whether dependency scope is supported for various eco | **Language** | **Ecosystem** | **Manifest file** | **Dependency scope supported** | |:---|:---:|:---:|:---|{% ifversion dependency-graph-dart-support %} -| Dart | pub | pubspec.yaml | ✔ | -| Dart | pub | pubspec.lock | ✔ |{% endif %} +| Dart | pub | pubspec.yaml | {% octicon "check" aria-label="Supported" %} | +| Dart | pub | pubspec.lock | {% octicon "check" aria-label="Supported" %} |{% endif %} | Go | Go modules | go.mod | No, defaults to runtime |{% ifversion ghes < 3.9 or ghae < 3.9 %} | Go | Go modules | go.sum | No, defaults to runtime |{% endif %} -| Java | Maven | pom.xml | ✔ `test` maps to development, else scope defaults to runtime | -| JavaScript | npm | package.json | ✔ | -| JavaScript | npm | package-lock.json | ✔ | +| Java | Maven | pom.xml | {% octicon "check" aria-label="Supported" %} `test` maps to development, else scope defaults to runtime | +| JavaScript | npm | package.json | {% octicon "check" aria-label="Supported" %} | +| JavaScript | npm | package-lock.json | {% octicon "check" aria-label="Supported" %} |{% ifversion dependabot-dependency-graph-pnpm %} +| JavaScript | npm | pnpm-lock.yaml | {% octicon "check" aria-label="Supported" %} |{% endif %} | JavaScript | yarn v1 | yarn.lock | No, defaults to runtime | -| PHP | Composer | composer.json | ✔ | -| PHP | Composer | composer.lock | ✔ | -| Python | Poetry | poetry.lock | ✔ | -| Python | Poetry | pyproject.toml | ✔ | -| Python | pip | requirements.txt | ✔ Scope is development if the filename contains `test` or `dev`, else it is runtime | -| Python | pip | pipfile.lock | ✔ | -| Python | pip | pipfile | ✔ | -| Ruby | RubyGems | Gemfile | ✔ | +| PHP | Composer | composer.json | {% octicon "check" aria-label="Supported" %} | +| PHP | Composer | composer.lock | {% octicon "check" aria-label="Supported" %} | +| Python | Poetry | poetry.lock | {% octicon "check" aria-label="Supported" %} | +| Python | Poetry | pyproject.toml | {% octicon "check" aria-label="Supported" %} | +| Python | pip | requirements.txt | {% octicon "check" aria-label="Supported" %} Scope is development if the filename contains `test` or `dev`, else it is runtime | +| Python | pip | pipfile.lock | {% octicon "check" aria-label="Supported" %} | +| Python | pip | pipfile | {% octicon "check" aria-label="Supported" %} | +| Ruby | RubyGems | Gemfile | {% octicon "check" aria-label="Supported" %} | | Ruby | RubyGems | Gemfile.lock | No, defaults to runtime | -| Rust | Cargo | Cargo.toml | ✔ | +| Rust | Cargo | Cargo.toml | {% octicon "check" aria-label="Supported" %} | | Rust | Cargo | Cargo.lock | No, defaults to runtime | | YAML | GitHub Actions | - | No, defaults to runtime | | .NET (C#, F#, VB, etc.) | NuGet | .csproj / .vbproj .vcxproj / .fsproj | No, defaults to runtime | | .NET | NuGet | packages.config | No, defaults to runtime | -| .NET | NuGet | .nuspec | ✔ When the tag != runtime | +| .NET | NuGet | .nuspec | {% octicon "check" aria-label="Supported" %} When the tag != runtime | diff --git a/data/reusables/dependabot/supported-package-managers.md b/data/reusables/dependabot/supported-package-managers.md index 1738a1ebbf..911d7d9ab6 100644 --- a/data/reusables/dependabot/supported-package-managers.md +++ b/data/reusables/dependabot/supported-package-managers.md @@ -81,10 +81,12 @@ In order for {% data variables.product.prodname_dependabot %} to fetch Docker me In addition to supporting updates to `requirements.txt` files, {% data variables.product.prodname_dependabot %} supports updates to `pyproject.toml` files if they follow the PEP 621 standard. {% endif %} -{% ifversion dependabot-updates-pnpm-support %} - #### pnpm +{% ifversion dependabot-dependency-graph-pnpm %} +pnpm is supported for {% data variables.product.prodname_dependabot_version_updates %} and {% data variables.product.prodname_dependabot_security_updates %}. + +{% else %} pnpm is supported for {% data variables.product.prodname_dependabot_version_updates %} only. {% data variables.product.prodname_dependabot_security_updates %} are not currently supported. {% endif %}