Understanding the table
The dependency graph supports different methods of submitting data for direct and indirect (transitive) dependencies. See How the dependency graph recognizes dependencies.
In the table below:
- The Static transitive dependencies and Automatic dependency submission show you supported methods for submitting data.
- The Static transitive dependencies column also indicates whether static analysis will add
directandtransitivelabels for dependent packages in that ecosystem. - The Recommended files column suggests formats that explicitly define which versions are used for all direct and all indirect dependencies. These files lock the package versions to those included in the build and enable Dependabot to find vulnerable versions in both direct and indirect dependencies.
Supported package ecosystems
| Package manager | Languages | Static transitive dependencies | Automatic dependency submission | Recommended files | Additional files |
|---|---|---|---|---|---|
| Cargo | Rust | Cargo.lock | Cargo.toml | ||
| Composer | PHP | composer.lock | composer.json | ||
| NuGet | .NET languages (C#, F#, VB), C++ | .csproj, .vbproj, .nuspec, .vcxproj, .fsproj | packages.config | ||
| GitHub Actions workflows | YAML | .yml, .yaml | |||
| Go modules | Go | go.mod | |||
| Gradle | Java | ||||
| Maven | Java, Scala | pom.xml | |||
| npm | JavaScript | package-lock.json | package.json | ||
| pip | Python | requirements.txt, pipfile.lock | pipfile, setup.py | ||
| pnpm | JavaScript | pnpm-lock.yaml | package.json | ||
| pub | Dart | pubspec.lock | pubspec.yaml | ||
| Poetry | Python | poetry.lock | pyproject.toml | ||
| RubyGems | Ruby | Gemfile.lock | Gemfile, *.gemspec | ||
| Swift Package Manager | Swift | Package.resolved | |||
| Yarn | JavaScript | yarn.lock | package.json |
メモ
- If you list your Python dependencies within a
setup.pyfile, we may not be able to parse and list every dependency in your project. - GitHub Actions workflows must be located in the
.github/workflows/directory of a repository to be recognized as manifests. Any actions or workflows referenced using the syntaxjobs[*].steps[*].usesorjobs.<job_id>.useswill be parsed as dependencies. For more information, see Workflow syntax for GitHub Actions. - For GitHub Actions, Dependabot alerts are only generated for actions that use semantic versioning, not SHA versioning. For more information, see About Dependabot alerts and About Dependabot version updates.