Transitive Dependency labeling for npm [GA] (#54111)

Co-authored-by: Ben Ahmady <[email protected]>
Co-authored-by: Kevin Heis <[email protected]>

Author: 3 people

content/code-security/supply-chain-security/understanding-your-software-supply-chain/exploring-the-dependencies-of-a-repository.md

@@ -50,7 +50,15 @@ Enterprise owners can configure the dependency graph at an enterprise level. For
 ### Dependencies view
 
 {% ifversion fpt or ghec %}
-For each dependency, you can see its ecosystem, the manifest file in which it was found, and the license (where detected). Dependencies on private repositories, private packages, or unrecognized files are shown in plain text. If the package manager for the dependency is in a public repository, you can hover on the dependency name to display a pop-up with the associated repository information.
+For each dependency, you can see its ecosystem, the manifest file in which it was found, and the license (where detected).
+
+* Dependencies for private repositories, private packages, or unrecognized files are shown in plain text.
+* If the package manager for the dependency is in a public repository, you can hover on the dependency name to display a pop-up with the associated repository information.
+* You can sort and filter dependencies by typing filters as `key:value` pairs into the search bar.
+
+    * Use `ecosystem: <ecosystem-name>` to display dependencies for the selected ecosystem.{% ifversion transitive-dependency-labeling-npm %}
+    * **For npm only.** Use `relationship:` to filter the list by relationship status. Possible values are `direct`, `transitive`, and `inconclusive`. Alternatively, you can click the relationship label adjacent to a dependency name to only show dependencies of the same relationship status.{% endif %}
+
 {% endif %}
 
 {% ifversion ghes %}

data/features/transitive-dependency-labeling-npm.yml

@@ -0,0 +1,5 @@
+# Issue 15878: Transitive Dependency labeling for npm [GA]
+
+versions:
+  fpt: '*'
+  ghec: '*'

data/reusables/dependabot/dependabot-alerts-filters.md

@@ -7,6 +7,9 @@ You can sort and filter {% data variables.product.prodname_dependabot_alerts %}
 | `is` | Displays alerts based on their state | Use `is:open` to show open alerts |
 | `manifest` | Displays alerts for the selected manifest | Use `manifest:webwolf/pom.xml` to show alerts on the pom.xml file of the webwolf application |
 | `package` | Displays alerts for the selected package | Use `package:django` to show alerts for django |
+| {% ifversion transitive-dependency-labeling-npm %} |
+| `relationship` |  Displays alerts of the selected relationship status<br>Note that this filter is only available for npm.  | Use `relationship:direct` to show alerts for direct dependencies (marked with the `Direct` label). |
+| {% endif %} |
 | `resolution` | Displays alerts of the selected resolution status | Use `resolution:no-bandwidth` to show alerts previously parked due to lack of resources or time to fix them |
 | `repo` |  Displays alerts based on the repository they relate to</br>Note that this filter is only available for security overview. For more information, see [AUTOTITLE](/code-security/security-overview/about-security-overview) | Use `repo:octocat-repo` to show alerts in the repository called `octocat-repo` |
 | `scope` | Displays alerts based on the scope of the dependency they relate to | Use `scope:development` to show alerts for dependencies that are only used during development |

data/reusables/dependency-graph/sbom-intro.md

@@ -1,6 +1,8 @@
-An SBOM is a formal, machine-readable inventory of a project's dependencies and associated information (such as {% ifversion ghes %}versions and package identifiers{% else %}versions, package identifiers, licenses, and copyright information{% endif %}). SBOMs help reduced supply chain risks by:
+An SBOM is a formal, machine-readable inventory of a project's dependencies and associated information (such as {% ifversion ghes %}versions and package identifiers{% else %}versions, package identifiers, licenses, transitive paths for package ecosystems with support for transitive dependency labeling, and copyright information{% endif %}). SBOMs help reduced supply chain risks by:
 
 * Providing transparency about the dependencies used by your repository
 * Allowing vulnerabilities to be identified early in the process
 * Providing insights in the license compliance, security, or quality issues that may exist in your codebase
 * Enabling you to better comply with various data protection standards
+
+{% ifversion transitive-dependency-labeling-npm %}For more information about the ecosystems supporting transitive dependency labeling, see [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/exploring-the-dependencies-of-a-repository#dependencies-view).{% endif %}

data/reusables/dependency-graph/supported-package-ecosystems.md

@@ -15,7 +15,8 @@
 | Swift Package Manager | Swift | `Package.resolved` | `Package.resolved` |
 | Yarn | JavaScript | `yarn.lock` | `package.json`, `yarn.lock` |
 
-> [!NOTE]
+> [!NOTE]{% ifversion transitive-dependency-labeling-npm %}
+> * For some package managers, such as npm, a label indicates whether the dependency is direct or transitive on the dependency graph view. For more information, see [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/exploring-the-dependencies-of-a-repository#dependencies-view).{% endif %}
 > * If you list your Python dependencies within a `setup.py` file, we may not be able to parse and list every dependency in your project.
 > * {% data variables.product.prodname_actions %} workflows must be located in the `.github/workflows/` directory of a repository to be recognized as manifests. Any actions or workflows referenced using the syntax `jobs[*].steps[*].uses` or `jobs.<job_id>.uses` will be parsed as dependencies. For more information, see [AUTOTITLE](/actions/using-workflows/workflow-syntax-for-github-actions).
 > * {% data reusables.dependabot.dependabot-alert-actions-semver %} For more information, see [AUTOTITLE](/code-security/dependabot/dependabot-alerts/about-dependabot-alerts) and [AUTOTITLE](/code-security/dependabot/dependabot-version-updates/about-dependabot-version-updates).