Here’s the translation into American English:
—
In the realm of software development, the complexity of the supply chain can become a significant challenge. Recently, GitHub launched an innovative tool: the dependency graph, which promises to provide developers with a clear view of the external libraries their projects use, both directly and indirectly.
This graph resembles an iceberg. What appears to be a simple manifest file with a few direct dependencies is, in fact, just the tip, while the vast network of transitive dependencies lies hidden beneath the surface. The GitHub dependency graph enables developers to visualize this complexity, creating a structured representation of all the external code that powers their applications. Each package is presented as a node, and the dependency relationships as edges, highlighting the connections between different packages and their relationships, much like a family tree.
This tool is crucial in an environment where 95-97% of the code may come from external resources. With its implementation, developers can quickly identify insecure dependencies and act accordingly. The functionality of the dependency graph extends to Dependabot, which automatically alerts users to security issues in their dependencies, even in those transitive dependencies that often go unnoticed.
An illustrative example shared by Eric Sorenson, an engineer at GitHub, reveals that a project that appeared to contain only 21 direct dependencies may actually include over 1,000 dependencies in total. This discovery underscores the importance of understanding not only what is within our control but also the implications of indirect dependencies.
Activating the dependency graph is a straightforward process located in the repository settings under the Security section. For public repositories, this tool is free, while private repositories require a subscription to GitHub Advanced Security. Through this functionality, developers gain not only automated alerts but also the ability to conduct deeper analysis of their software supply chain.
In conclusion, the GitHub dependency graph not only provides visibility into the vast third-party code that powers projects, but it also enables developers to take necessary steps to secure their applications against potential vulnerabilities. With this tool, security management in software development becomes a more accessible and efficient task.
via: MiMub in Spanish
