How does Dependency Review work in GitHub Advanced Security?

Dependency Review focuses on the changes introduced by a pull request in terms of dependencies. When a PR adds or updates dependencies, it surfaces details about those new dependencies—exact package names and versions, direct and transitive dependencies, and the associated licenses. It also pulls in known security advisories (such as CVEs) for the new dependencies so you can see any vulnerabilities that would come with the changes. This visibility lets you assess risk before merging: you can spot if a new dependency or its transitive chain brings a vulnerability, or if the licenses don’t align with your project’s policy. Based on what you see, you can decide to update to a safer version, swap out the dependency, or block the PR until the issues are resolved. In short, it’s about evaluating the impact of new dependencies added by a PR, not about removing unused code, measuring code quality, or formatting.