Dependabot-based dependency graphs for Go

Continuing the supply chain security theme of continually improving our package ecosystem support, Go projects will now see more complete and accurate transitive dependency trees in their dependency graphs and Software Bill of Materials (SBOMs).

Since Go resolves dependency versions dynamically, getting an accurate picture of a project’s dependencies cannot rely on static parsing. Now, when a commit updates a project’s go.mod, GitHub runs a new type of Dependabot job that builds a dependency snapshot and uploads it to the Dependency Submission API.

This approach is similar to dependency autosubmission for other ecosystems, but it will not incur charges for actions minutes. It can also access organization-wide configurations for private registries you’ve set up for Dependabot.

For more information, see Configuring the dependency graph.

JUN.9Release
Dependabot version updates now support the Deno ecosystem
- Supply Chain Security
JUN.9Retired
Upcoming breaking changes for npm v12
- Supply Chain Security
MAY.26Release
Dependabot version updates now support the sbt ecosystem
- Supply Chain Security
MAY.22Release
Staged publishing and new install-time controls for npm
- Supply Chain Security
MAY.19Retired
Upcoming deprecation of Python 3.9 for Dependabot
- Supply Chain Security
MAY.12Retired
Synchronous SBOM API deprecated
- Supply Chain Security
MAY.11Improvement
Cross-org Dependabot access for internal repositories
- Supply Chain Security
MAY.6Release
Search and filter bar for repository security advisories
- Supply Chain Security
MAY.5Release
Dependency scanning with GitHub MCP Server is in public preview
- Supply Chain Security

Dependabot-based dependency graphs for Go

Related Posts

Subscribe to our developer newsletter