Since the Dependency Graph feature is intertwined with the Security Alerts (Vulnerability Alerts) feature, this also means GitHub users will also be eligible to receive automatic security alerts for any vulnerabilities that crop up in the dependencies of their PHP projects.
How Security Alerts works
The Security Alerts feature is one of GitHub's most useful services. It works by (GitHub) scanning the dependency tree (generated by the Dependency Graph feature) for a user's project.
The scanner looks at the dependency's name and version number and compares it to a list of known vulnerabilities that GitHub pools from various sources.
If GitHub finds a vulnerability in any of the dependencies, the Security Alerts feature warns the project owner through various methods, such as:
A banner in the GitHub interface
Web notifications on the GitHub domain
Email notifications for each new vulnerability
Daily or weekly email digests of all new vulnerabilities
But the Dependency Graph and the Security Alerts feature won't work for all PHP projects. It will only work for PHP projects coded to work with Composer projects. Composer is a package manager for automatically importing PHP libraries into a PHP project.
After today's announcements, the current support scheme for the Dependency Graph and integrated Security Alerts feature is as follows:
This certification is only valid for open source projects hosted on the platform, which means bugs reported on an open source project's bug tracker will receive a CVE identifier much faster, as the project owner can request a CVE from GitHub, rather than go through the more crowded and time-consuming approval process over at MITRE.
Julia programming language, cloud computing, cybersecurity worries: Research round-up