cde40f4847
* Issue template stuff for creating megabranch * Fix placeholder YAML * update search indexes * update search indexes * update search indexes * update search indexes * update search indexes * update search indexes * update search indexes * update search indexes * update search indexes * update search indexes * update search indexes * update search indexes * update search indexes * Add release candidate banner * update search indexes * update search indexes * update search indexes * update search indexes * [GHES 3.2]: Remove final notes about machine man preview (GA) (#20939) * update search indexes * update search indexes * Add GHES versioning to "Managing your theme settings" (#20950) * update search indexes * [GHES 3.2]: Fix versioning for security alerts (#20761) * made a start * rework * move image to an enterprise 3.1 folder * forgot to commit * simplify reusable * update search indexes * update search indexes * update search indexes * Updated basic 3.2 REST fiels after package change These will be overwritten before release by the new description files when the 3.2 description is properly published * update search indexes * GHAE feature flag for `security alerts` custom notification option (#20979) * made a start * rework * move image to an enterprise 3.1 folder * forgot to commit * simplify reusable * add GHAE feature flag * remove spurious spaces I had added * update search indexes * update search indexes * update search indexes * update search indexes * update search indexes * update search indexes * update search indexes * Update versioning (#21121) Co-authored-by: Matt Pollard <mattpollard@users.noreply.github.com> * update search indexes * Add the new service (#21060) * update search indexes * update search indexes * update search indexes * Fix parent category index versioning for security overview * update search indexes * [GHES 3.2] Add documentation for GHES Referrer Policy Admin setting (#20910) Co-authored-by: jmarlena <6732600+jmarlena@users.noreply.github.com> Co-authored-by: Jules Parker <19994093+jules-p@users.noreply.github.com> Co-authored-by: Matt Pollard <mattpollard@users.noreply.github.com> * update search indexes * update search indexes * Update "Review hardware considerations" table (#21208) Performance improvements resulted in higher maximum job throughput and the new benchmarks need to be shared with current and potential customers. * update search indexes * Version new GHES 3.2 Actions tested performance (#21212) * update search indexes * Update "Review hardware considerations" table v2 Feedback from additional reviewers requires an update to the benchmarks previously merged. * update search indexes * update search indexes * [GHES 3.2] - Dependency Graph: Simplified enablement in GHES (GA) (#21078) * document UI button for dependency graph GHES 3.2 * update search indexes * Update getting-started-with-github-actions-for-github-enterprise-server.md * update search indexes * update search indexes * update search indexes * update search indexes * update search indexes * update search indexes * [GHES 3.2] Release candidate 1 release notes (#20799) Co-authored-by: Lucas Costi <lucascosti@users.noreply.github.com> Co-authored-by: bwestover <bwestover@github.com> Co-authored-by: Martin Lopes <martin389@github.com> Co-authored-by: Laura Coursen <lecoursen@github.com> Co-authored-by: Grey Baker <greysteil@github.com> Co-authored-by: Bas van Schaik <5082246+sj@users.noreply.github.com> Co-authored-by: William Bartholomew <iamwillbar@github.com> * update search indexes * update search indexes * update search indexes * update search indexes * update search indexes * Update OpenAPI Descriptions for GHES 3.2 (#21377) Also contains a rollup of other unmerged OpenAPI changes Co-authored-by: github-openapi-bot <github-openapi-bot@users.noreply.github.com> Co-authored-by: Lucas Costi <lucascosti@users.noreply.github.com> * update search indexes Co-authored-by: Rachael Sewell <rachmari@github.com> Co-authored-by: GitHub Actions <action@github.com> Co-authored-by: Docubot <67483024+docubot@users.noreply.github.com> Co-authored-by: Laura Coursen <lecoursen@github.com> Co-authored-by: Ethan Palm <56270045+ethanpalm@users.noreply.github.com> Co-authored-by: mc <42146119+mchammer01@users.noreply.github.com> Co-authored-by: Felicity Chapman <felicitymay@github.com> Co-authored-by: Matt Pollard <mattpollard@users.noreply.github.com> Co-authored-by: Matthias Wenz <matthiaswenz@github.com> Co-authored-by: jmarlena <6732600+jmarlena@users.noreply.github.com> Co-authored-by: Jules Parker <19994093+jules-p@users.noreply.github.com> Co-authored-by: Steve-Glass <84886334+Steve-Glass@users.noreply.github.com> Co-authored-by: Meg Bird <megbird@github.com> Co-authored-by: bwestover <bwestover@github.com> Co-authored-by: Martin Lopes <martin389@github.com> Co-authored-by: Grey Baker <greysteil@github.com> Co-authored-by: Bas van Schaik <5082246+sj@users.noreply.github.com> Co-authored-by: William Bartholomew <iamwillbar@github.com> Co-authored-by: github-openapi-bot <69533958+github-openapi-bot@users.noreply.github.com> Co-authored-by: github-openapi-bot <github-openapi-bot@users.noreply.github.com>
4.9 KiB
title, intro, versions, type, topics, redirect_from, shortTitle
| title | intro | versions | type | topics | redirect_from | shortTitle | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Reviewing dependency changes in a pull request | If a pull request contains changes to dependencies, you can view a summary of what has changed and whether there are known vulnerabilities in any of the dependencies. |
|
how_to |
|
|
Review dependency changes |
{% data reusables.dependency-review.beta %}
About dependency review
{% data reusables.dependency-review.feature-overview %}
{% ifversion ghes > 3.1 %} Before you can use dependency review, you must enable the dependency graph and connect {% data variables.product.product_location %} to {% data variables.product.prodname_dotcom_the_website %}. For more information, see "Enabling alerts for vulnerable dependencies on {% data variables.product.prodname_ghe_server %}."{% endif %}
Dependency review allows you to "shift left". You can use the provided predictive information to catch vulnerable dependencies before they hit production. For more information, see "About dependency review."
Reviewing dependencies in a pull request
{% data reusables.repositories.sidebar-pr %} {% data reusables.repositories.choose-pr-review %} {% data reusables.repositories.changed-files %}
-
If the pull request contains many files, use the File filter drop-down menu to collapse all files that don't record dependencies. This will make it easier to focus your review on the dependency changes.
-
On the right of the header for a manifest or lock file, display the dependency review by clicking the {% octicon "file" aria-label="The rich diff icon" %} rich diff button.
{% note %}
Note: The dependency review provides a clearer view of what has changed in large lock files, where the source diff is not rendered by default.
{% endnote %}
-
Check the dependencies listed in the dependency review.
Any added or changed dependencies that have vulnerabilities are listed first, ordered by severity and then by dependency name. This means that the highest severity dependencies are always at the top of a dependency review. Other dependencies are listed alphabetically by dependency name.
The icon beside each dependency indicates whether the dependency has been added ({% octicon "diff-added" aria-label="Dependency added icon" %}), updated ({% octicon "diff-modified" aria-label="Dependency modified icon" %}), or removed ({% octicon "diff-removed" aria-label="Dependency removed icon" %}) in this pull request.
Other information includes:
- The version, or version range, of the new, updated, or deleted dependency.
- For a specific version of a dependency:
- The age of that release of the dependency.
- The number of projects that are dependent on this software. This information is taken from the dependency graph. Checking the number of dependents can help you avoid accidentally adding the wrong dependency.
- The license used by this dependency, if this information is available. This is useful if you want to avoid code with certain licenses being used in your project.
Where a dependency has a known vulnerability, the warning message includes:
- A brief description of the vulnerability.
- A Common Vulnerabilities and Exposures (CVE) or {% data variables.product.prodname_security_advisories %} (GHSA) identification number. You can click this ID to find out more about the vulnerability.
- The severity of the vulnerability.
- The version of the dependency in which the vulnerability was fixed. If you are reviewing a pull request for someone, you might ask the contributor to update the dependency to the patched version, or a later release.
{% data reusables.repositories.return-to-source-diff %}