From 16ef992fce398fe995c326a65fedd64f413adf7c Mon Sep 17 00:00:00 2001 From: Joe Clark <31087804+jc-clark@users.noreply.github.com> Date: Tue, 25 Mar 2025 10:04:09 -0700 Subject: [PATCH 1/3] Delete the diy docs steps for now, for testing (#55002) --- .github/workflows/ready-for-doc-review.yml | 51 ---------------------- 1 file changed, 51 deletions(-) diff --git a/.github/workflows/ready-for-doc-review.yml b/.github/workflows/ready-for-doc-review.yml index ec3795372347..4b7366442ef0 100644 --- a/.github/workflows/ready-for-doc-review.yml +++ b/.github/workflows/ready-for-doc-review.yml @@ -43,57 +43,6 @@ jobs: echo "AUTHOR_LOGIN=${{ github.event.pull_request.user.login }}" >> $GITHUB_ENV fi - # Check if the PR is connected to an issue that has the DIY docs label. The grep command parses through the PR description to find issue numbers that are linked in the PR description. The GitHub CLI command then checks if the issue exists in the docs-content repo, then checks if the linked docs-content issues have the DIY docs label. If the linked issues have the DIY docs label, the DIY_DOCS_LABEL environment variable is set to true. - - name: Check if PR is connected to DIY docs issue - if: github.repository == 'github/docs-internal' - id: check-diy-docs - env: - GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_WRITEORG_PROJECT }} - run: | - echo "Extracting issue numbers from PR description..." - - # Get issue numbers directly using gh pr view - ISSUE_NUMS=$(gh pr view ${{ github.event.pull_request.number }} --json body -q .body | \ - grep -oE '(https://github.com/github/docs-content/issues/[0-9]+|github/docs-content#[0-9]+|#[0-9]+)' | \ - grep -oE '[0-9]+$' || echo "") - echo "Extracted docs-content issue numbers: $ISSUE_NUMS" - - if [ -n "$ISSUE_NUMS" ]; then - for ISSUE_NUM in $ISSUE_NUMS; do - echo "Checking issue #$ISSUE_NUM in the docs-content repository..." - if gh issue view $ISSUE_NUM --repo github/docs-content --json labels -q '.labels[].name' | grep -q 'DIY docs'; then - echo "DIY docs label found for issue #$ISSUE_NUM." - echo "DIY_DOCS_LABEL=true" >> $GITHUB_ENV - break - else - echo "Issue #$ISSUE_NUM exists but does not have the DIY docs label." - fi - done - else - echo "No DIY docs issues found in the PR description." - fi - - # Debug step to confirm environment variables are set correctly - - name: Debug environment variables - run: | - echo "Current environment variables:" - echo "DIY_DOCS_LABEL: $DIY_DOCS_LABEL" - echo "Repository: ${{ github.repository }}" - - # If the PR description contains a link to a DIY docs issue, add the DIY docs label to the PR. - - name: Add the DIY docs label if connected to a DIY docs issue - if: ${{ env.DIY_DOCS_LABEL == 'true' }} && github.repository == 'github/docs-internal' - env: - GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_WRITEORG_PROJECT }} - PR_URL: ${{ github.event.pull_request.html_url }} - run: | - # Debugging output - echo "Condition check:" - echo "DIY_DOCS_LABEL is: $DIY_DOCS_LABEL" - echo "github.repository is: ${{ github.repository }}" - echo "Adding the DIY docs label..." - gh pr edit $PR_URL --add-label 'DIY docs' - - name: Run script run: | npm run ready-for-docs-review From b99d0cfab38c56da56df7fe52c350817ccdb144d Mon Sep 17 00:00:00 2001 From: "release-controller[bot]" <110195724+release-controller[bot]@users.noreply.github.com> Date: Tue, 25 Mar 2025 10:50:39 -0700 Subject: [PATCH 2/3] Patch release notes for GitHub Enterprise Server (#54942) Co-authored-by: Release-Controller Co-authored-by: Devin Dooley Co-authored-by: Rachael Rose Renk <91027132+rachaelrenk@users.noreply.github.com> Co-authored-by: Vanessa --- .../enterprise-server/3-12/17.yml | 40 +++++++++++ .../enterprise-server/3-13/13.yml | 46 ++++++++++++ .../enterprise-server/3-14/10.yml | 56 +++++++++++++++ .../enterprise-server/3-15/5.yml | 54 ++++++++++++++ .../enterprise-server/3-16/1.yml | 70 +++++++++++++++++++ 5 files changed, 266 insertions(+) create mode 100644 data/release-notes/enterprise-server/3-12/17.yml create mode 100644 data/release-notes/enterprise-server/3-13/13.yml create mode 100644 data/release-notes/enterprise-server/3-14/10.yml create mode 100644 data/release-notes/enterprise-server/3-15/5.yml create mode 100644 data/release-notes/enterprise-server/3-16/1.yml diff --git a/data/release-notes/enterprise-server/3-12/17.yml b/data/release-notes/enterprise-server/3-12/17.yml new file mode 100644 index 000000000000..7edf6fdbab18 --- /dev/null +++ b/data/release-notes/enterprise-server/3-12/17.yml @@ -0,0 +1,40 @@ +date: '2025-03-25' +sections: + security_fixes: + - | + Packages have been updated to the latest security versions. + bugs: + - | + The `ghe-upgrade` command returned a zero exit code despite encountering errors. + - | + Restoring from a backup did not always apply the latest data from GitHub Actions. All GitHub Actions data is now restored with a backup. + - | + Users could not use the `/manage/v1/config/apply` API endpoint to trigger the first configuration run on an instance. + changes: + - | + Update the bundled `actions/setup-dotnet` with the latest versions from https://github.com/actions/setup-dotnet. + known_issues: + - | + Custom firewall rules are removed during the upgrade process. + - | + During the validation phase of a configuration run, a `No such object` error may occur for the Notebook and Viewscreen services. This error can be ignored as the services should still correctly start. + - | + If the root site administrator is locked out of the Management Console after failed login attempts, the account does not unlock automatically after the defined lockout time. Someone with administrative SSH access to the instance must unlock the account using the administrative shell. For more information, see "[AUTOTITLE](/admin/configuration/administering-your-instance-from-the-management-console/troubleshooting-access-to-the-management-console#unlocking-the-root-site-administrator-account)." + - | + The `mbind: Operation not permitted` error in the `/var/log/mysql/mysql.err` file can be ignored. MySQL 8 does not gracefully handle when the `CAP_SYS_NICE` capability isn't required, and outputs an error instead of a warning. + - | + On an instance with the HTTP `X-Forwarded-For` header configured for use behind a load balancer, all client IP addresses in the instance's audit log erroneously appear as 127.0.0.1. + - | + {% data reusables.release-notes.large-adoc-files-issue %} + - | + The `reply.[hostname]` subdomain is falsely always displaying as having no ssl and dns record, when testing the domain settings via management console **without subdomain isolation**. When regenerating the certificates with management console, the `subdomain reply.[hostname]` is missing from the ssl certification. + - | + Admin stats REST API endpoints may timeout on appliances with many users or repositories. Retrying the request until data is returned is advised. + - | + {% data reusables.release-notes.2024-06-possible-frontend-5-minute-outage-during-hotpatch-upgrade %} + - | + When restoring from a backup snapshot, a large number of `mapper_parsing_exception` errors may be displayed. + - | + Some customers upgrading from 3.11.x or 3.12.x may experience a bug with the feature "Automatic update checks", filling the root disk with logs causing a system degradation. To prevent this, you can turn off the feature "[Enable automatic update check](/admin/upgrading-your-instance/preparing-to-upgrade/enabling-automatic-update-checks#enabling-automatic-update-checks)" in the management console. + - | + After a geo-replica is promoted to be a primary by running `ghe-repl-promote`, the actions workflow of a repository does not have any suggested workflows. diff --git a/data/release-notes/enterprise-server/3-13/13.yml b/data/release-notes/enterprise-server/3-13/13.yml new file mode 100644 index 000000000000..eac768f7e5ea --- /dev/null +++ b/data/release-notes/enterprise-server/3-13/13.yml @@ -0,0 +1,46 @@ +date: '2025-03-25' +sections: + security_fixes: + - | + Packages have been updated to the latest security versions. + bugs: + - | + The `ghe-upgrade` command returned a zero exit code despite encountering errors. + - | + When performing an upgrade with an upgrade package, the process did not terminate when an invalid target partition was provided with the `-t` flag. + - | + Users could not use the `/manage/v1/config/apply` API endpoint to trigger the first configuration run on an instance. + - | + Restoring from a backup did not always apply the latest data from GitHub Actions. All GitHub Actions data is now restored with a backup. + - | + For instances in a high availability configuration, Elasticsearch indices were deleted on failover and when `ghe-repl-teardown REPLICA_HOSTNAME` was run from the primary instance. All indices are recoverable except audit log indices, whose source of truth is Elasticsearch itself. + - | + In Azure environments, running `ghe-single-config-apply` or `ghe-repl-setup` resulted in "Permission denied" errors during the pre-flight check. + changes: + - | + Elasticsearch shards are excluded from the replica node when stopping replication via `ghe-repl-stop`. To prevent Elasticsearch from being stopped before all shards have been removed, Elasticsearch is polled until the shard count on the replica node is zero instead of waiting for a maximum timeout of 30 seconds. + - | + Update the bundled `actions/setup-dotnet` with the latest versions from https://github.com/actions/setup-dotnet. + known_issues: + - | + During the validation phase of a configuration run, a `No such object` error may occur for the Notebook and Viewscreen services. This error can be ignored as the services should still correctly start. + - | + If the root site administrator is locked out of the Management Console after failed login attempts, the account does not unlock automatically after the defined lockout time. Someone with administrative SSH access to the instance must unlock the account using the administrative shell. For more information, see "[AUTOTITLE](/admin/configuration/administering-your-instance-from-the-management-console/troubleshooting-access-to-the-management-console#unlocking-the-root-site-administrator-account)." + - | + On an instance with the HTTP `X-Forwarded-For` header configured for use behind a load balancer, all client IP addresses in the instance's audit log erroneously appear as 127.0.0.1. + - | + For an instance in a cluster configuration and with GitHub Actions enabled, restoring a cluster from backup requires targeting the primary DB node. + - | + When following the steps for [Replacing the primary MySQL node](/admin/monitoring-managing-and-updating-your-instance/configuring-clustering/replacing-a-cluster-node#replacing-the-primary-mysql-node), step 14 (running `ghe-cluster-config-apply`) might fail with errors. If this occurs, re-running `ghe-cluster-config-apply` is expected to succeed. + - | + Running a config apply as part of the steps for [Replacing a node in an emergency](/admin/monitoring-managing-and-updating-your-instance/configuring-clustering/replacing-a-cluster-node#replacing-a-node-in-an-emergency) may fail with errors if the node being replaced is still reachable. If this occurs, shutdown the node and repeat the steps. + - | + {% data reusables.release-notes.2024-06-possible-frontend-5-minute-outage-during-hotpatch-upgrade %} + - | + When restoring data originally backed up from a 3.13 or greater appliance version, the Elasticsearch indices need to be reindexed before some of the data will show up. This happens via a nightly scheduled job. It can also be forced by running `/usr/local/share/enterprise/ghe-es-search-repair`. + - | + When restoring from a backup snapshot, a large number of `mapper_parsing_exception` errors may be displayed. + - | + After a restore, existing outside collaborators cannot be added to repositories in a new organization. This issue can be resolved by running `/usr/local/share/enterprise/ghe-es-search-repair` on the appliance. + - | + After a geo-replica is promoted to be a primary by running `ghe-repl-promote`, the actions workflow of a repository does not have any suggested workflows. diff --git a/data/release-notes/enterprise-server/3-14/10.yml b/data/release-notes/enterprise-server/3-14/10.yml new file mode 100644 index 000000000000..0df810b6e8dd --- /dev/null +++ b/data/release-notes/enterprise-server/3-14/10.yml @@ -0,0 +1,56 @@ +date: '2025-03-25' +sections: + security_fixes: + - | + Packages have been updated to the latest security versions. + bugs: + - | + The `ghe-upgrade` command returned a zero exit code despite encountering errors. + - | + When performing an upgrade with an upgrade package, the process did not terminate when an invalid target partition was provided with the `-t` flag. + - | + Users could not use the `/manage/v1/config/apply` API endpoint to trigger the first configuration run on an instance. + - | + For instances in a high availability configuration, Elasticsearch indices were deleted on failover and when `ghe-repl-teardown REPLICA_HOSTNAME` was run from the primary instance. All indices are recoverable except audit log indices, whose source of truth is Elasticsearch itself. + - | + Restoring from a backup did not always apply the latest data from GitHub Actions. All GitHub Actions data is now restored with a backup. + - | + In Azure environments, running `ghe-single-config-apply` or `ghe-repl-setup` resulted in "Permission denied" errors during the pre-flight check. + - | + On instances with a GitHub Advanced Security license, some secret scanning alerts were opened incorrectly despite the relevant folders or files being excluded from secret scanning. + changes: + - | + Elasticsearch shards are excluded from the replica node when stopping replication via `ghe-repl-stop`. To prevent Elasticsearch from being stopped before all shards have been removed, Elasticsearch is polled until the shard count on the replica node is zero instead of waiting for a maximum timeout of 30 seconds. + - | + Update the bundled `actions/setup-dotnet` with the latest versions from https://github.com/actions/setup-dotnet. + known_issues: + - | + During the validation phase of a configuration run, a `No such object` error may occur for the Notebook and Viewscreen services. This error can be ignored as the services should still correctly start. + - | + If the root site administrator is locked out of the Management Console after failed login attempts, the account does not unlock automatically after the defined lockout time. Someone with administrative SSH access to the instance must unlock the account using the administrative shell. For more information, see "[AUTOTITLE](/admin/configuration/administering-your-instance-from-the-management-console/troubleshooting-access-to-the-management-console#unlocking-the-root-site-administrator-account)." + - | + On an instance with the HTTP `X-Forwarded-For` header configured for use behind a load balancer, all client IP addresses in the instance's audit log erroneously appear as 127.0.0.1. + - | + {% data reusables.release-notes.large-adoc-files-issue %} + - | + Admin stats REST API endpoints may timeout on appliances with many users or repositories. Retrying the request until data is returned is advised. + - | + When following the steps for [Replacing the primary MySQL node](/admin/monitoring-managing-and-updating-your-instance/configuring-clustering/replacing-a-cluster-node#replacing-the-primary-mysql-node), step 14 (running `ghe-cluster-config-apply`) might fail with errors. If this occurs, re-running `ghe-cluster-config-apply` is expected to succeed. + - | + Running a config apply as part of the steps for [Replacing a node in an emergency](/admin/monitoring-managing-and-updating-your-instance/configuring-clustering/replacing-a-cluster-node#replacing-a-node-in-an-emergency) may fail with errors if the node being replaced is still reachable. If this occurs, shutdown the node and repeat the steps. + - | + {% data reusables.release-notes.2024-06-possible-frontend-5-minute-outage-during-hotpatch-upgrade %} + - | + When restoring data originally backed up from a 3.13 or greater appliance version, the Elasticsearch indices need to be reindexed before some of the data will show up. This happens via a nightly scheduled job. It can also be forced by running `/usr/local/share/enterprise/ghe-es-search-repair`. + - | + An organization-level code scanning configuration page is displayed on instances that do not use GitHub Advanced Security or code scanning. + - | + In the header bar displayed to site administrators, some icons are not available. + - | + When enabling automatic update checks for the first time in the Management Console, the status is not dynamically reflected until the "Updates" page is reloaded. + - | + When restoring from a backup snapshot, a large number of `mapper_parsing_exception` errors may be displayed. + - | + After a restore, existing outside collaborators cannot be added to repositories in a new organization. This issue can be resolved by running `/usr/local/share/enterprise/ghe-es-search-repair` on the appliance. + - | + After a geo-replica is promoted to be a primary by running `ghe-repl-promote`, the actions workflow of a repository does not have any suggested workflows. diff --git a/data/release-notes/enterprise-server/3-15/5.yml b/data/release-notes/enterprise-server/3-15/5.yml new file mode 100644 index 000000000000..f88d0a0432a6 --- /dev/null +++ b/data/release-notes/enterprise-server/3-15/5.yml @@ -0,0 +1,54 @@ +date: '2025-03-25' +sections: + security_fixes: + - | + Packages have been updated to the latest security versions. + bugs: + - | + In Azure environments, running `ghe-single-config-apply` or `ghe-repl-setup` resulted in "Permission denied" errors during the pre-flight check. + - | + The `ghe-upgrade` command returned a zero exit code despite encountering errors. + - | + When performing an upgrade with an upgrade package, the process did not terminate when an invalid target partition was provided with the `-t` flag. + - | + For instances in a high availability configuration, Elasticsearch indices were deleted on failover and when `ghe-repl-teardown REPLICA_HOSTNAME` was run from the primary instance. All indices are recoverable except audit log indices, whose source of truth is Elasticsearch itself. + - | + On instances with a GitHub Advanced Security license, some secret scanning alerts were opened incorrectly despite the relevant folders or files being excluded from secret scanning. + changes: + - | + Elasticsearch shards are excluded from the replica node when stopping replication via `ghe-repl-stop`. To prevent Elasticsearch from being stopped before all shards have been removed, Elasticsearch is polled until the shard count on the replica node is zero instead of waiting for a maximum timeout of 30 seconds. + - | + Update the bundled `actions/setup-dotnet` with the latest versions from https://github.com/actions/setup-dotnet. + known_issues: + - | + During the validation phase of a configuration run, a `No such object` error may occur for the Notebook and Viewscreen services. This error can be ignored as the services should still correctly start. + - | + If the root site administrator is locked out of the Management Console after failed login attempts, the account does not unlock automatically after the defined lockout time. Someone with administrative SSH access to the instance must unlock the account using the administrative shell. For more information, see "[AUTOTITLE](/admin/configuration/administering-your-instance-from-the-management-console/troubleshooting-access-to-the-management-console#unlocking-the-root-site-administrator-account)." + - | + On an instance with the HTTP `X-Forwarded-For` header configured for use behind a load balancer, all client IP addresses in the instance's audit log erroneously appear as 127.0.0.1. + - | + {% data reusables.release-notes.large-adoc-files-issue %} + - | + Admin stats REST API endpoints may timeout on appliances with many users or repositories. Retrying the request until data is returned is advised. + - | + When following the steps for [Replacing the primary MySQL node](/admin/monitoring-managing-and-updating-your-instance/configuring-clustering/replacing-a-cluster-node#replacing-the-primary-mysql-node), step 14 (running `ghe-cluster-config-apply`) might fail with errors. If this occurs, re-running `ghe-cluster-config-apply` is expected to succeed. + - | + Running a config apply as part of the steps for [Replacing a node in an emergency](/admin/monitoring-managing-and-updating-your-instance/configuring-clustering/replacing-a-cluster-node#replacing-a-node-in-an-emergency) may fail with errors if the node being replaced is still reachable. If this occurs, shutdown the node and repeat the steps. + - | + {% data reusables.release-notes.2024-06-possible-frontend-5-minute-outage-during-hotpatch-upgrade %} + - | + When restoring data originally backed up from a 3.13 or greater appliance version, the Elasticsearch indices need to be reindexed before some of the data will show up. This happens via a nightly scheduled job. It can also be forced by running `/usr/local/share/enterprise/ghe-es-search-repair`. + - | + An organization-level code scanning configuration page is displayed on instances that do not use GitHub Advanced Security or code scanning. + - | + In the header bar displayed to site administrators, some icons are not available. + - | + When enabling automatic update checks for the first time in the Management Console, the status is not dynamically reflected until the "Updates" page is reloaded. + - | + When restoring from a backup snapshot, a large number of `mapper_parsing_exception` errors may be displayed. + - | + When initializing a new GHES cluster, nodes with the `consul-server` role should be added to the cluster before adding additional nodes. Adding all nodes simultaneously creates a race condition between nomad server registration and nomad client registration. + - | + Admins setting up cluster high availability (HA) may encounter a spokes error when running `ghe-cluster-repl-status` if a new organization and repositories are created before using the `ghe-cluster-repl-bootstrap` command. To avoid this issue, complete the cluster HA setup with `ghe-cluster-repl-bootstrap` before creating new organizations and repositories. + - | + After a restore, existing outside collaborators cannot be added to repositories in a new organization. This issue can be resolved by running `/usr/local/share/enterprise/ghe-es-search-repair` on the appliance. diff --git a/data/release-notes/enterprise-server/3-16/1.yml b/data/release-notes/enterprise-server/3-16/1.yml new file mode 100644 index 000000000000..b9fddbc9f302 --- /dev/null +++ b/data/release-notes/enterprise-server/3-16/1.yml @@ -0,0 +1,70 @@ +date: '2025-03-25' +sections: + security_fixes: + - | + Packages have been updated to the latest security versions. + bugs: + - | + In Azure environments, running `ghe-single-config-apply` or `ghe-repl-setup` resulted in "Permission denied" errors during the pre-flight check. + - | + The `ghe-upgrade` command returned a zero exit code despite encountering errors. + - | + When performing an upgrade with an upgrade package, the process did not terminate when an invalid target partition was provided with the `-t` flag. + - | + Restoring from a backup did not always apply the latest data from GitHub Actions. All GitHub Actions data is now restored with a backup. + - | + For instances in a high availability configuration, Elasticsearch indices were deleted on failover and when `ghe-repl-teardown REPLICA_HOSTNAME` was run from the primary instance. All indices are recoverable except audit log indices, whose source of truth is Elasticsearch itself. + - | + On an instance with security product defaults set on organizations, users were unable to upgrade from versions earlier than 3.15 due to database migration failures. + - | + Domain entries could fail to load in the "Verified & Approves Domains" section of the site admin dashboard if one or more authoritative nameservers for the affected domain was unreachable or unresponsive due to inefficient DNS queries. + - | + On instances with a GitHub Advanced Security license, some secret scanning alerts were opened incorrectly despite the relevant folders or files being excluded from secret scanning. + changes: + - | + Elasticsearch shards are excluded from the replica node when stopping replication via `ghe-repl-stop`. To prevent Elasticsearch from being stopped before all shards have been removed, Elasticsearch is polled until the shard count on the replica node is zero instead of waiting for a maximum timeout of 30 seconds. + - | + Update the bundled `actions/setup-dotnet` with the latest versions from https://github.com/actions/setup-dotnet. + known_issues: + - | + Custom firewall rules are removed during the upgrade process. + - | + During the validation phase of a configuration run, a `No such object` error may occur for the Notebook and Viewscreen services. This error can be ignored as the services should still correctly start. + - | + If the root site administrator is locked out of the Management Console after failed login attempts, the account does not unlock automatically after the defined lockout time. Someone with administrative SSH access to the instance must unlock the account using the administrative shell. For more information, see "[AUTOTITLE](/admin/configuration/administering-your-instance-from-the-management-console/troubleshooting-access-to-the-management-console#unlocking-the-root-site-administrator-account)." + - | + On an instance with the HTTP `X-Forwarded-For` header configured for use behind a load balancer, all client IP addresses in the instance's audit log erroneously appear as 127.0.0.1. + - | + {% data reusables.release-notes.large-adoc-files-issue %} + - | + Admin stats REST API endpoints may timeout on appliances with many users or repositories. Retrying the request until data is returned is advised. + - | + When following the steps for [Replacing the primary MySQL node](/admin/monitoring-managing-and-updating-your-instance/configuring-clustering/replacing-a-cluster-node#replacing-the-primary-mysql-node), step 14 (running `ghe-cluster-config-apply`) might fail with errors. If this occurs, re-running `ghe-cluster-config-apply` is expected to succeed. + - | + Running a config apply as part of the steps for [Replacing a node in an emergency](/admin/monitoring-managing-and-updating-your-instance/configuring-clustering/replacing-a-cluster-node#replacing-a-node-in-an-emergency) may fail with errors if the node being replaced is still reachable. If this occurs, shutdown the node and repeat the steps. + - | + {% data reusables.release-notes.2024-06-possible-frontend-5-minute-outage-during-hotpatch-upgrade %} + - | + When restoring data originally backed up from a 3.13 or greater appliance version, the elasticsearch indices need to be reindexed before some of the data will show up. This happens via a nightly scheduled job. It can also be forced by running `/usr/local/share/enterprise/ghe-es-search-repair`. + - | + An organization-level code scanning configuration page is displayed on instances that do not use GitHub Advanced Security or code scanning. + - | + When following the steps for [Replacing the primary MySQL node](/admin/monitoring-managing-and-updating-your-instance/configuring-clustering/replacing-a-cluster-node#replacing-the-primary-mysql-node), step 14 (running `ghe-cluster-config-apply`) might fail with errors. If this occurs, re-running `ghe-cluster-config-apply` is expected to succeed. + - | + When enabling automatic update checks for the first time in the Management Console, the status is not dynamically reflected until the "Updates" page is reloaded. + - | + When restoring from a backup snapshot, a large number of `mapper_parsing_exception` errors may be displayed. + - | + When initializing a new GHES cluster, nodes with the `consul-server` role should be added to the cluster before adding additional nodes. Adding all nodes simultaneously creates a race condition between nomad server registration and nomad client registration. + - | + Admins setting up cluster high availability (HA) may encounter a spokes error when running `ghe-cluster-repl-status` if a new organization and repositories are created before using the `ghe-cluster-repl-bootstrap` command. To avoid this issue, complete the cluster HA setup with `ghe-cluster-repl-bootstrap` before creating new organizations and repositories. + - | + Some customers upgrading from 3.11.x or 3.12.x may experience a bug with the feature "Automatic update checks", filling the root disk with logs causing a system degradation. To prevent this, you can turn off the feature "[Enable automatic update check](/admin/upgrading-your-instance/preparing-to-upgrade/enabling-automatic-update-checks#enabling-automatic-update-checks)" in the management console. + - | + In a cluster, the host running restore requires access the storage nodes via their private IPs. + - | + On an instance hosted on Azure, commenting on an issue via email meant the comment was not added to the issue. + - | + After a restore, existing outside collaborators cannot be added to repositories in a new organization. This issue can be resolved by running `/usr/local/share/enterprise/ghe-es-search-repair` on the appliance. + - | + After a geo-replica is promoted to be a primary by running `ghe-repl-promote`, the actions workflow of a repository does not have any suggested workflows. From f5f22e4485b4a0c2fee3f9f3cdb117b2aa38b58e Mon Sep 17 00:00:00 2001 From: Eric Sorenson Date: Tue, 25 Mar 2025 10:56:49 -0700 Subject: [PATCH 3/3] Dependency graph and supply chain security updates for March 2025 (#54954) Co-authored-by: mc <42146119+mchammer01@users.noreply.github.com> --- .../about-supply-chain-security.md | 15 ++++--- ...pendency-submission-for-your-repository.md | 6 ++- ...loring-the-dependencies-of-a-repository.md | 18 ++------ .../troubleshooting-the-dependency-graph.md | 44 ++++++++++++------- .../dependabot/dependabot-alerts-filters.md | 2 +- .../repository-view-update.md | 4 +- data/reusables/dependency-graph/sbom-intro.md | 6 +-- .../supported-package-ecosystems.md | 34 +++++++------- 8 files changed, 68 insertions(+), 61 deletions(-) diff --git a/content/code-security/supply-chain-security/understanding-your-software-supply-chain/about-supply-chain-security.md b/content/code-security/supply-chain-security/understanding-your-software-supply-chain/about-supply-chain-security.md index 5ed47b66b7cc..3bc601536861 100644 --- a/content/code-security/supply-chain-security/understanding-your-software-supply-chain/about-supply-chain-security.md +++ b/content/code-security/supply-chain-security/understanding-your-software-supply-chain/about-supply-chain-security.md @@ -39,7 +39,7 @@ The supply chain features on {% data variables.product.github %} are: * **{% data variables.product.prodname_dependabot_security_updates %}** * **{% data variables.product.prodname_dependabot_version_updates %}** -The dependency graph is central to supply chain security. The dependency graph identifies all upstream dependencies and public downstream dependents of a repository or package. You can see your repository’s dependencies and some of their properties, like vulnerability information, on the dependency graph for the repository. +The dependency graph is central to supply chain security. The dependency graph identifies all upstream dependencies and public downstream dependents of a repository or package. Your repository’s dependency graph tracks and displays its dependencies and some of their properties, like vulnerability information. Other supply chain features on {% data variables.product.prodname_dotcom %} rely on the information provided by the dependency graph. @@ -53,12 +53,13 @@ For best practice guides on end-to-end supply chain security including the prote ## Feature overview -### What is the dependency graph +### What is the dependency graph? To generate the dependency graph, {% data variables.product.company_short %} looks at a repository’s explicit dependencies declared in the manifest and lockfiles. When enabled, the dependency graph automatically parses all known package manifest files in the repository, and uses this to construct a graph with known dependency names and versions. * The dependency graph includes information on your _direct_ dependencies and _transitive_ dependencies. * The dependency graph is automatically updated when you push a commit to {% data variables.product.company_short %} that changes or adds a supported manifest or lock file to the default branch, and when anyone pushes a change to the repository of one of your dependencies. +* The dependency graph can also include information you provide as your project is building using {% data variables.product.prodname_actions %}. Some package ecosystems pull in most of their transitive dependencies at build time, so submitting dependency information as the build is happening provides a more complete view of the supply chain. * You can see the dependency graph by opening the repository's main page on {% data variables.product.github %}, and navigating to the **Insights** tab. * {% data reusables.dependency-graph.sbom-export %} @@ -66,7 +67,7 @@ To generate the dependency graph, {% data variables.product.company_short %} loo For more information about the dependency graph, see [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/about-the-dependency-graph). -### What is dependency review +### What is dependency review? Dependency review helps reviewers and contributors understand dependency changes and their security impact in every pull request. @@ -75,9 +76,9 @@ Dependency review helps reviewers and contributors understand dependency changes For more information about dependency review, see [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review). -### What is Dependabot +### What is Dependabot? -{% data variables.product.prodname_dependabot %} keeps your dependencies up to date by informing you of any security vulnerabilities in your dependencies, and automatically opens pull requests to upgrade your dependencies to the next available secure version when a {% data variables.product.prodname_dependabot %} alert is triggered, or to the latest version when a release is published. +{% data variables.product.prodname_dependabot %} keeps your dependencies up to date by informing you of any security vulnerabilities in your dependencies and automatically opening pull requests to upgrade your dependencies. {% data variables.product.prodname_dependabot %} pull requests will target the next available secure version when a {% data variables.product.prodname_dependabot %} alert is triggered, or to the latest version when a release is published. The term "{% data variables.product.prodname_dependabot %}" encompasses the following features: * {% data variables.product.prodname_dependabot_alerts %}: Displayed notification on the **Security** tab for the repository, and in the repository's dependency graph. The alert includes a link to the affected file in the project, and information about a fixed version. @@ -103,7 +104,7 @@ For more information, see [AUTOTITLE](/code-security/dependabot/working-with-dep {% data reusables.dependabot.dependabot-actions-support %} For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-security-updates/about-dependabot-security-updates). -#### What are Dependabot alerts +#### What are Dependabot alerts? {% data variables.product.prodname_dependabot_alerts %} highlight repositories affected by a newly discovered vulnerability based on the dependency graph and the {% data variables.product.prodname_advisory_database %}, which contains advisories for known vulnerabilities. @@ -116,7 +117,7 @@ For more information, see [AUTOTITLE](/code-security/dependabot/working-with-dep For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-alerts/about-dependabot-alerts). -#### What are Dependabot updates +#### What are Dependabot updates? There are two types of {% data variables.product.prodname_dependabot_updates %}: {% data variables.product.prodname_dependabot %} _security_ updates and _version_ updates. {% data variables.product.prodname_dependabot %} generates automatic pull requests to update your dependencies in both cases, but there are several differences. diff --git a/content/code-security/supply-chain-security/understanding-your-software-supply-chain/configuring-automatic-dependency-submission-for-your-repository.md b/content/code-security/supply-chain-security/understanding-your-software-supply-chain/configuring-automatic-dependency-submission-for-your-repository.md index 062a1748d3e0..8fbab640dbcd 100644 --- a/content/code-security/supply-chain-security/understanding-your-software-supply-chain/configuring-automatic-dependency-submission-for-your-repository.md +++ b/content/code-security/supply-chain-security/understanding-your-software-supply-chain/configuring-automatic-dependency-submission-for-your-repository.md @@ -19,9 +19,9 @@ topics: > [!NOTE] > Automatic dependency submission is currently only supported for Maven. -Dependency graph analyzes the manifest and lock files in a repository, in order to help users understand the dependencies that the repository depends on. However, in some ecosystems, the resolution of transitive dependencies occurs at build-time and {% data variables.product.company_short %} isn't able to automatically discover all dependencies based on the contents of the repository alone. +Dependency graph analyzes the manifest and lock files in a repository, in order to help users understand the upstream packages that their software project depends on. However, in some ecosystems, the resolution of transitive dependencies occurs at build-time and {% data variables.product.company_short %} isn't able to automatically discover all dependencies based on the contents of the repository alone. -When you enable automatic dependency submission for a repository, {% data variables.product.company_short %} automatically identifies the transitive dependencies in the repository and will submit these dependencies to {% data variables.product.company_short %} using the {% data variables.dependency-submission-api.name %}. You can then report on these dependencies using the dependency graph. +When you enable automatic dependency submission for a repository, {% data variables.product.company_short %} automatically identifies the transitive dependencies in the repository and will submit these dependencies to {% data variables.product.company_short %} using the {% data variables.dependency-submission-api.name %}. You can then explore these dependencies using the dependency graph. {% data variables.product.prodname_dependabot %} will notify you about security updates for these dependencies by generating {% data variables.product.prodname_dependabot_alerts %} . Using automatic dependency submission counts toward your {% data variables.product.prodname_actions %} minutes. For more information, see [AUTOTITLE](/billing/managing-billing-for-github-actions/about-billing-for-github-actions). @@ -83,6 +83,8 @@ Automatic dependency submission is currently only supported for Maven. The featu Automatic dependency submission makes a best effort to cache package downloads between runs using the [Cache](https://github.com/marketplace/actions/cache) action to speed up workflows. For self-hosted runners, you may want to manage this cache within your own infrastructure. To do this, you can disable the built-in caching by setting an environment variable of `GH_DEPENDENCY_SUBMISSION_SKIP_CACHE` to `true`. For more information, see [AUTOTITLE](/actions/learn-github-actions/variables). +If your repository's dependencies seem inaccurate, check that the timestamp of the last dependency graph build matches the last change to your `pom.xml` file. The timestamp is visible on the table of alerts in the repository's {% data variables.product.prodname_dependabot_alerts %} tab. Pushing a commit which updates `pom.xml` will trigger a new run of the Dependency Tree Submission action and force a rebuild of that repository's dependency graph. + ## Further reading * [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/about-supply-chain-security) diff --git a/content/code-security/supply-chain-security/understanding-your-software-supply-chain/exploring-the-dependencies-of-a-repository.md b/content/code-security/supply-chain-security/understanding-your-software-supply-chain/exploring-the-dependencies-of-a-repository.md index 77b81908f3eb..3e17d93ffaaa 100644 --- a/content/code-security/supply-chain-security/understanding-your-software-supply-chain/exploring-the-dependencies-of-a-repository.md +++ b/content/code-security/supply-chain-security/understanding-your-software-supply-chain/exploring-the-dependencies-of-a-repository.md @@ -29,9 +29,7 @@ The dependency graph shows the dependencies{% ifversion fpt or ghec %} and depen {% data reusables.repositories.navigate-to-repo %} {% data reusables.repositories.accessing-repository-graphs %} {% data reusables.repositories.click-dependency-graph %} -1. Optionally, use the search bar to find a specific dependency or set of dependencies. - - >[!NOTE] The search bar only searches based on the package name. +1. Optionally, use the search bar to find a specific dependency or set of dependencies. You can use the keywords `ecosystem:` to show only packages of a certain type, or `relationship:` to show only direct or transitive dependencies (if the ecosystem supports transitivity). Plain words in search bar will only match package names. {% ifversion fpt or ghec %} @@ -50,14 +48,14 @@ Enterprise owners can configure the dependency graph at an enterprise level. For ### Dependencies view {% ifversion fpt or ghec %} -For each dependency, you can see its ecosystem, the manifest file in which it was found, and the license (where detected). +For each dependency, you can see its ecosystem, the manifest file in which it was found, and its license (where detected). * Dependencies for private repositories, private packages, or unrecognized files are shown in plain text. * If the package manager for the dependency is in a public repository, you can hover on the dependency name to display a pop-up with the associated repository information. * You can sort and filter dependencies by typing filters as `key:value` pairs into the search bar. * Use `ecosystem: ` to display dependencies for the selected ecosystem.{% ifversion transitive-dependency-labeling-npm %} - * **For npm only.** Use `relationship:` to filter the list by relationship status. Possible values are `direct`, `transitive`, and `inconclusive`. Alternatively, you can click the relationship label adjacent to a dependency name to only show dependencies of the same relationship status.{% endif %} + * Use `relationship:` to filter the list by relationship status. Possible values are `direct`, `transitive`, and `inconclusive`. Alternatively, you can click the relationship label adjacent to a dependency name to only show dependencies of the same relationship status. This filter is only available for ecosystems with transitive dependency support. See [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/dependency-graph-supported-package-ecosystems) for more information.{% endif %} {% endif %} @@ -109,17 +107,9 @@ The "Used by" section represents a single package from the repository. If you ha {% endif %} -## Troubleshooting the dependency graph - -If your dependency graph is empty, there may be a problem with the file containing your dependencies. Check the file to ensure that it's correctly formatted for the file type. - -{% ifversion fpt or ghec %} -If the file is correctly formatted, then check its size. The dependency graph ignores individual manifest and lock files that are over 1.5 Mb, unless you are a {% data variables.product.prodname_enterprise %} user. It processes up to 150 manifest or lock files per repository by default, so you can split dependencies into smaller files in subdirectories of the repository.{% endif %} - -If a manifest or lock file is not processed, its dependencies are omitted from the dependency graph and they can't be checked for insecure dependencies. - ## Further reading +* [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/troubleshooting-the-dependency-graph) * [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/about-the-dependency-graph) * [AUTOTITLE](/code-security/dependabot/dependabot-alerts/viewing-and-updating-dependabot-alerts){% ifversion ghec %} * [AUTOTITLE](/organizations/collaborating-with-groups-in-organizations/viewing-insights-for-dependencies-in-your-organization){% endif %}{% ifversion fpt or ghec %} diff --git a/content/code-security/supply-chain-security/understanding-your-software-supply-chain/troubleshooting-the-dependency-graph.md b/content/code-security/supply-chain-security/understanding-your-software-supply-chain/troubleshooting-the-dependency-graph.md index 83e67efc5cc2..0f077bbdd039 100644 --- a/content/code-security/supply-chain-security/understanding-your-software-supply-chain/troubleshooting-the-dependency-graph.md +++ b/content/code-security/supply-chain-security/understanding-your-software-supply-chain/troubleshooting-the-dependency-graph.md @@ -40,28 +40,40 @@ However, you can use the {% data variables.dependency-submission-api.name %} to ## Are there limits which affect the dependency graph data? -Yes, the dependency graph has one category of limits: +Yes, the dependency graph has limits on the size, number, and location of manifest files that it will process. -1. **Processing limits** +The processing limits affect the dependency graph displayed within {% data variables.product.prodname_dotcom %} and also prevent {% data variables.product.prodname_dependabot_alerts %} being created. - These affect the dependency graph displayed within {% data variables.product.prodname_dotcom %} and also prevent {% data variables.product.prodname_dependabot_alerts %} being created. +Manifests over 10 MB in size are ignored and will not generate {% data variables.product.prodname_dependabot_alerts %}. - Manifests over 0.5 MB in size are only processed for enterprise accounts. For other accounts, manifests over 0.5 MB are ignored and will not create {% data variables.product.prodname_dependabot_alerts %}. +By default, {% data variables.product.github %} will not process more than {% ifversion fpt or ghec %}150{% else %}600{% endif %} manifests per repository. {% data variables.product.prodname_dependabot %} doesn't generate {% data variables.product.prodname_dependabot_alerts %} for manifests beyond this limit, and {% data variables.product.prodname_dependabot_alerts %} may behave unpredictably if this limit is exceeded. - By default, {% data variables.product.prodname_dotcom %} will not process more than {% ifversion fpt or ghec %}150{% else %}600{% endif %} manifests per repository. {% data variables.product.prodname_dependabot_alerts %} are not created for manifests beyond this limit, and {% data variables.product.prodname_dependabot_alerts %} may behave unpredictably if this limit is exceeded. +Manifest files stored in directories with names that are typically used for vendored dependencies will not be processed. A directory whose name matches the following regular expressions is considered a vendored dependencies directory: + + * (3rd|[Tt]hird)[-_]?[Pp]arty/ + * (^|/)vendors?/ + * (^|/)[Ee]xtern(als?)?/ + * (^|/)[Vv]+endor/ + - Manifest files stored in directories with names that are typically used for vendored dependencies will not be processed. A directory whose name matches the following regular expressions is considered a vendored dependencies directory: - - * (3rd|[Tt]hird)[-_]?[Pp]arty/ - * (^|/)vendors?/ - * (^|/)[Ee]xtern(als?)?/ - * (^|/)[Vv]+endor/ - + Examples: + * third-party/dependencies/dependency1 + * vendors/dependency1 + * /externals/vendor1/dependency1 - Examples: - * third-party/dependencies/dependency1 - * vendors/dependency1 - * /externals/vendor1/dependency1 +## My dependencies don't look right, what can I do? + +If the table of dependencies for your project doesn't accurately represent your repository's manifests, you can trigger a rebuild of its dependency graph. + +From the repository's {% data variables.product.prodname_dependabot_alerts %} tab, click {% octicon "gear" aria-label="settings" %} at the top of the alert list. Select **Refresh {% data variables.product.prodname_dependabot_alerts %}** from the dropdown menu. This will enqueue a background task to process the repository's manifests, detect any new or changed dependencies, and update the alerts. + +>[!NOTE] You need to have permission to manage security alerts in order to refresh a repository's dependency graph. See [AUTOTITLE](/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository#granting-access-to-security-alerts) for information on configuring this access. To further reduce the potential for abuse, the **Refresh {% data variables.product.prodname_dependabot_alerts %}** option can only be triggered once an hour per repository. + +Clicking **Refresh {% data variables.product.prodname_dependabot_alerts %}** will only scan manifest files. If your dependency graph also includes build-time dependency information submitted using the {% data variables.dependency-submission-api.name %}, rerunning the Action or external process which generates and submits the dependency information will also trigger a rebuild of the repository's dependency graph. For more information about the {% data variables.dependency-submission-api.name %}, see [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/using-the-dependency-submission-api). + +If you are using automatic dependency submission for Maven, pushing a commit that updates the repository's `pom.xml` will trigger the automatic submission action to run. + +In all cases, the timestamp at the top of the list of alerts indicates the last time the dependency graph was built. ## Further reading diff --git a/data/reusables/dependabot/dependabot-alerts-filters.md b/data/reusables/dependabot/dependabot-alerts-filters.md index 3426667054db..50ac48b14844 100644 --- a/data/reusables/dependabot/dependabot-alerts-filters.md +++ b/data/reusables/dependabot/dependabot-alerts-filters.md @@ -10,7 +10,7 @@ You can sort and filter {% data variables.product.prodname_dependabot_alerts %} | `manifest` | Displays alerts for the selected manifest | Use `manifest:webwolf/pom.xml` to show alerts on the pom.xml file of the webwolf application | | `package` | Displays alerts for the selected package | Use `package:django` to show alerts for django | | {% ifversion transitive-dependency-labeling-npm %} | -| `relationship` | Displays alerts of the selected relationship status
Note that this filter is only available for npm. | Use `relationship:direct` to show alerts for direct dependencies (marked with the `Direct` label). | +| `relationship` | Displays alerts of the selected relationship status
Note that this filter is only available for ecosystems with transitive support. | Use `relationship:direct` to show alerts for direct dependencies (marked with the `Direct` label). | | {% endif %} | | `resolution` | Displays alerts of the selected resolution status | Use `resolution:no-bandwidth` to show alerts previously parked due to lack of resources or time to fix them | | `repo` | Displays alerts based on the repository they relate to
Note that this filter is only available for security overview. For more information, see [AUTOTITLE](/code-security/security-overview/about-security-overview) | Use `repo:octocat-repo` to show alerts in the repository called `octocat-repo` | diff --git a/data/reusables/dependency-graph/repository-view-update.md b/data/reusables/dependency-graph/repository-view-update.md index bdc0587c4b41..0c4920d6c290 100644 --- a/data/reusables/dependency-graph/repository-view-update.md +++ b/data/reusables/dependency-graph/repository-view-update.md @@ -1 +1,3 @@ -For each dependency, you can see the {% ifversion fpt or ghec %}license information and{% endif %} vulnerability severity. You can also search for a specific dependency using the search bar. Dependencies are sorted automatically by vulnerability severity. +For each dependency, you can see the version, {% ifversion fpt or ghec %}license information,{% endif %} the manifest file which included it, and whether it has known vulnerabilities. For package ecosystems supporting transitive dependencies, the relationship status will be displayed and the disclosure button **...** will show the transitive path which brought in the dependency. For more information about transitive dependency support, see [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/dependency-graph-supported-package-ecosystems). + +You can also search for a specific dependency using the search bar. Dependencies are sorted automatically with vulnerabilities at the top. diff --git a/data/reusables/dependency-graph/sbom-intro.md b/data/reusables/dependency-graph/sbom-intro.md index 85c73ddc7f1d..bb55fa016700 100644 --- a/data/reusables/dependency-graph/sbom-intro.md +++ b/data/reusables/dependency-graph/sbom-intro.md @@ -1,8 +1,8 @@ -An SBOM is a formal, machine-readable inventory of a project's dependencies and associated information (such as {% ifversion ghes %}versions and package identifiers{% else %}versions, package identifiers, licenses, transitive paths for package ecosystems with support for transitive dependency labeling, and copyright information{% endif %}). SBOMs help reduced supply chain risks by: +An SBOM is a formal, machine-readable inventory of a project's dependencies and associated information (such as {% ifversion ghes %}versions and package identifiers{% else %}versions, package identifiers, licenses, transitive paths for package ecosystems with support for transitive dependency labeling, and copyright information{% endif %}). SBOMs help reduce supply chain risks by: * Providing transparency about the dependencies used by your repository -* Allowing vulnerabilities to be identified early in the process +* Allowing vulnerabilities to be identified across your codebase * Providing insights in the license compliance, security, or quality issues that may exist in your codebase * Enabling you to better comply with various data protection standards -{% ifversion transitive-dependency-labeling-npm %}For more information about the ecosystems supporting transitive dependency labeling, see [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/exploring-the-dependencies-of-a-repository#dependencies-view).{% endif %} +{% ifversion transitive-dependency-labeling-npm %}For more information about the ecosystems supporting transitive dependency labeling, see [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/dependency-graph-supported-package-ecosystems).{% endif %} diff --git a/data/reusables/dependency-graph/supported-package-ecosystems.md b/data/reusables/dependency-graph/supported-package-ecosystems.md index 5aee52a30f1e..2cb534f2d017 100644 --- a/data/reusables/dependency-graph/supported-package-ecosystems.md +++ b/data/reusables/dependency-graph/supported-package-ecosystems.md @@ -1,22 +1,22 @@ -| Package manager | Languages | Recommended formats | All supported formats | -| --- | --- | --- | ---| -| Cargo | Rust | `Cargo.lock` | `Cargo.toml`, `Cargo.lock` | -| Composer | PHP | `composer.lock` | `composer.json`, `composer.lock` | -| NuGet | .NET languages (C#, F#, VB), C++ | `.csproj`, `.vbproj`, `.nuspec`, `.vcxproj`, `.fsproj` | `.csproj`, `.vbproj`, `.nuspec`, `.vcxproj`, `.fsproj`, `packages.config` | -| {% data variables.product.prodname_actions %} workflows | YAML | `.yml`, `.yaml` | `.yml`, `.yaml` | -| Go modules | Go | `go.mod`| `go.mod` | -| Maven | Java, Scala | `pom.xml` | `pom.xml` | -| npm | JavaScript | `package-lock.json` | `package-lock.json`, `package.json`| -| pip | Python | `requirements.txt`, `pipfile.lock` | `requirements.txt`, `pipfile`, `pipfile.lock`, `setup.py` | -| pnpm | JavaScript | `pnpm-lock.yaml` | `package.json`, `pnpm-lock.yaml` | -| pub | Dart | `pubspec.lock` | `pubspec.yaml`, `pubspec.lock` | -| Python Poetry | Python | `poetry.lock` | `poetry.lock`, `pyproject.toml` | -| RubyGems | Ruby | `Gemfile.lock` | `Gemfile.lock`, `Gemfile`, `*.gemspec` | -| Swift Package Manager | Swift | `Package.resolved` | `Package.resolved` | -| Yarn | JavaScript | `yarn.lock` | `package.json`, `yarn.lock` | +| Package manager | Languages | Transitive dependencies | Recommended formats | All supported formats | +| --- | --- | --- | --- | ---| +| Cargo | Rust | {% octicon "x" aria-label="Not supported" %} | `Cargo.lock` | `Cargo.toml`, `Cargo.lock` | +| Composer | PHP | {% octicon "x" aria-label="Not supported" %} | `composer.lock` | `composer.json`, `composer.lock` | +| NuGet | .NET languages (C#, F#, VB), C++ | {% octicon "x" aria-label="Not supported" %} | `.csproj`, `.vbproj`, `.nuspec`, `.vcxproj`, `.fsproj` | `.csproj`, `.vbproj`, `.nuspec`, `.vcxproj`, `.fsproj`, `packages.config` | +| {% data variables.product.prodname_actions %} workflows | YAML | {% octicon "x" aria-label="Not supported" %} | `.yml`, `.yaml` | `.yml`, `.yaml` | +| Go modules | Go | {% octicon "x" aria-label="Not supported" %} | `go.mod`| `go.mod` | +| Maven | Java, Scala | {% octicon "check" aria-label="Supported" %} | `pom.xml` | `pom.xml` | +| npm | JavaScript | {% octicon "check" aria-label="Supported" %} | `package-lock.json` | `package-lock.json`, `package.json`| +| pip | Python | {% octicon "x" aria-label="Not supported" %} | `requirements.txt`, `pipfile.lock` | `requirements.txt`, `pipfile`, `pipfile.lock`, `setup.py` | +| pnpm | JavaScript | {% octicon "x" aria-label="Not supported" %} | `pnpm-lock.yaml` | `package.json`, `pnpm-lock.yaml` | +| pub | Dart | {% octicon "x" aria-label="Not supported" %} | `pubspec.lock` | `pubspec.yaml`, `pubspec.lock` | +| Python Poetry | Python | {% octicon "x" aria-label="Not supported" %} | `poetry.lock` | `poetry.lock`, `pyproject.toml` | +| RubyGems | Ruby | {% octicon "x" aria-label="Not supported" %} | `Gemfile.lock` | `Gemfile.lock`, `Gemfile`, `*.gemspec` | +| Swift Package Manager | Swift | {% octicon "x" aria-label="Not supported" %} | `Package.resolved` | `Package.resolved` | +| Yarn | JavaScript | {% octicon "x" aria-label="Not supported" %} | `yarn.lock` | `package.json`, `yarn.lock` | > [!NOTE]{% ifversion transitive-dependency-labeling-npm %} -> * For some package managers, such as npm, a label indicates whether the dependency is direct or transitive on the dependency graph view. For more information, see [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/exploring-the-dependencies-of-a-repository#dependencies-view).{% endif %} +> * The **Transitive dependencies** column indicates whether the dependency graph labels dependent packages in that ecosystem as direct or transitive on the dependency graph view, {% data variables.product.prodname_dependabot_alerts %}, the GraphQL API, and exported SBOMs. For more information, see [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/exploring-the-dependencies-of-a-repository#dependencies-view).{% endif %} > * If you list your Python dependencies within a `setup.py` file, we may not be able to parse and list every dependency in your project. > * {% data variables.product.prodname_actions %} workflows must be located in the `.github/workflows/` directory of a repository to be recognized as manifests. Any actions or workflows referenced using the syntax `jobs[*].steps[*].uses` or `jobs..uses` will be parsed as dependencies. For more information, see [AUTOTITLE](/actions/using-workflows/workflow-syntax-for-github-actions). > * {% data reusables.dependabot.dependabot-alert-actions-semver %} For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-alerts/about-dependabot-alerts) and [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/about-dependabot-version-updates).