On the Accuracy of GitHub's Dependency Graph

Daniele Bifolco; Sabato Nocera; Simone Romano; Massimiliano Di Penta; Rita Francese; Giuseppe Scanniello

doi:10.1145/3661167.3661175

What is it about?

GitHub's Dependency Graph is a simple way to visualize the dependencies and dependents of a software project hosted on GitHub. We want to asses the accuracy of the information contained in the Dependency Graph and any implication that may arise on the tools based on it.

Photo by Roman Synkevych on Unsplash

Why is it important?

The majority of the analyzed projects have inaccuracies on their GitHub’s dependency graph, either in dependents or dependencies. Moreover, the dependency information from manifest/lock files and GitHub’s dependency graph does not always match. Thus, might affect the output of tools based on GitHub’s dependency graph (e.g., Dependabot and SBOM generators) as well as the outcomes of past empirical studies.

This page is a summary of: On the Accuracy of GitHub's Dependency Graph, June 2024, ACM (Association for Computing Machinery),
DOI: 10.1145/3661167.3661175.
You can read the full text:

Read

Contributors

The following have contributed to this page

On the Accuracy of GitHub's Dependency Graph

What is it about?

Why is it important?

Contributors

Discover more

Medical Research

Life Sciences

Physical Sciences

Technology and Engineering

Environmental Research

Arts and Humanities

Social Sciences

Business and Management

On the Accuracy of GitHub's Dependency Graph

What is it about?

Featured Image

Why is it important?

Read the Original

Contributors

Share this page:

Discover more

Medical Research

Life Sciences

Physical Sciences

Technology and Engineering

Environmental Research

Arts and Humanities

Social Sciences

Business and Management