Dependency graph support is now available for PHP repositories with Composer dependencies
The dependency graph is rolling out for all PHP repositories with Composer dependencies. In addition to Composer, GitHub supports package managers for many other programming languages, including Maven, NPM, Yarn, and Nuget.
The dependency graph powers many important experiences in GitHub, including security alerts, the “used by” counter, dependency insights, and automatic security fixes. We’re also seeing PHP and Composer grow in popularity—PHP is the fourth most popular language on GitHub and Composer is the fourth most starred PHP project. We’ve taken note, and the dependency graph is now rolling out for all PHP repositories with Composer dependencies. In addition to Composer, GitHub supports package managers for other programming languages, including Maven, NPM, Yarn, and Nuget.
Details
You may see security alerts on your repositories as dependency graph support rolls out. When there’s a published vulnerability on any of the Composer dependencies that your project lists in composer.json and composer.lock files, GitHub will send you an alert including email or web notifications, depending on your preferences.
Public and private repositories
If your repository is public, you’ll start receiving these alerts automatically—no need to change anything. If your repository is private or if you disabled the dependency graph on your repository, enable the dependency graph to start receiving alerts.
Multiple private repositories
Organizations with multiple private repositories can also enable the dependency graph across their repositories using a script enabling security alerts and automated security fixes.
Disable alerts on old projects
What if you don’t want to receive alerts on those old PHP projects you wrote years ago? Archive them! Archived repositories send a signal to the rest of the community that they aren’t maintained and don’t receive security alerts.
Automatic security fixes beta
If you’ve opted in to the automatic security fixes beta, you’ll receive pull requests for your vulnerable PHP dependencies when you receive security alerts. Learn more about automatic security fixes.
Enterprise plan subscribers
Organizations using GitHub Enterprise can also start leveraging dependency insights to view information about PHP dependencies. Dependency insights offers a summary of the dependency graph information across all repositories in an organization or across organizations. This makes it easy to identify where you may be using vulnerable dependencies, while providing information about a dependency’s license.
Written by
Related posts
GitHub and JFrog partner to unify code and binaries for DevSecOps
This partnership between GitHub and JFrog enables developers to manage code and binaries more efficiently on two of the most widely used developer platforms in the world.
2024 GitHub Accelerator: Meet the 11 projects shaping open source AI
Announcing the second cohort, delivering value to projects, and driving a new frontier.
Introducing GitHub Copilot Extensions: Unlocking unlimited possibilities with our ecosystem of partners
The world of Copilot is getting bigger, improving the developer experience by keeping developers in the flow longer and allowing them to do more in natural language.