dependency graphs

Dependency graphs map the intricate web of direct and transitive relationships between software components to identify security vulnerabilities and license risks.

Modern applications rely on thousands of upstream packages; a single React project might pull in 1,500 sub-dependencies. Dependency graphs provide the structural visibility needed to manage this complexity by indexing every manifest file (like package.json or go.mod) and lockfile. Tools like GitHub's dependency graph or OWASP Dependency-Check use these maps to alert developers when a specific version of a library, such as Log4j, contains a critical CVE. By visualizing the entire supply chain, teams can pinpoint exactly where a vulnerable component enters their stack and automate the patching process across the entire repository.

https://github.com/features/security/software-composition-analysis