Summary

The dependency graph today uses manifest parsing to understand the set of dependencies in a repository. This approach has some major shortcomings though: we can't model complex dependency systems like Gradle (which use executable code in the build to resolve dependencies), and we can't easily scale to support a long tail of ecosystems.

Build time detection is powered by a new API for the dependency graph that allows build tools or package managers to submit information about the dependencies that are part of the build. The dependency graph is evolving to store this kind of data on arbitrary pieces of software so that we can map to the Advisory database and send alerts.

Intended Outcome

No response

How will it work?

No response