GitHub Community
.NET transitive dependencies not showing on dependency chart #144979
Replies: 5 comments 2 replies
-
|
This would definitely be an important improvement to the Dependency Graph. |
Beta Was this translation helpful? Give feedback.
-
|
🕒 Discussion Activity Reminder 🕒 This Discussion has been labeled as dormant by an automated system for having no activity in the last 60 days. Please consider one the following actions: 1️⃣ Close as Out of Date: If the topic is no longer relevant, close the Discussion as 2️⃣ Provide More Information: Share additional details or context — or let the community know if you've found a solution on your own. 3️⃣ Mark a Reply as Answer: If your question has been answered by a reply, mark the most helpful reply as the solution. Note: This dormant notification will only apply to Discussions with the Thank you for helping bring this Discussion to a resolution! 💬 |
Beta Was this translation helpful? Give feedback.
-
|
This remains relevant. I've created a repository that shows this: This project contains direct reference to [email protected] which in turn brings a transitive dependency to [email protected] which is vulnerable. You can see that, despite having a package.lock.json(https://github.com/vmcbaptista/transitive-vulnerability/blob/main/src/packages.lock.json), only the direct dependency appears on the dependency graph https://github.com/vmcbaptista/transitive-vulnerability/network/dependencies And as a consequence, dependabot security updates do not trigger an update on Newtonsoft.Json. The support for transitive dependencies was added on dependabot with this PR (dependabot/dependabot-core#9678) although seems like dependency chart keeps not supporting it |
Beta Was this translation helpful? Give feedback.
-
|
🕒 Discussion Activity Reminder 🕒 This Discussion has been labeled as dormant by an automated system for having no activity in the last 60 days. Please consider one the following actions: 1️⃣ Close as Out of Date: If the topic is no longer relevant, close the Discussion as 2️⃣ Provide More Information: Share additional details or context — or let the community know if you've found a solution on your own. 3️⃣ Mark a Reply as Answer: If your question has been answered by a reply, mark the most helpful reply as the solution. Note: This dormant notification will only apply to Discussions with the Thank you for helping bring this Discussion to a resolution! 💬 |
Beta Was this translation helpful? Give feedback.
-
|
Was anything done to address this? If not can we please reopen it and get anyone from the team to give some feedback at least? |
Beta Was this translation helpful? Give feedback.
-
|
As far as I know this was not addressed. Please reopen it |
Beta Was this translation helpful? Give feedback.
-
|
Was anything done to address this? If not can we please reopen it and get anyone from the team to give some feedback at least? |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
-
Transitive dependencies are not added to dependency graph even if support for packages.lock.json is enabled.
These lock files must be considered to also detect vulnerabilities in transitive dependencies.
Note tha dependabot recently added support to these lock files, which makes this even more relevant.
Beta Was this translation helpful? Give feedback.
All reactions