What is the purpose of Dependency Review in GAS?

Dependency Review examines the changes introduced by a pull request to the project’s dependencies and checks them against security, license, and policy criteria before the code is merged. When a PR adds or updates libraries, this review highlights exactly which dependencies are changing, then surfaces any related risks: known security advisories or CVEs tied to those dependencies, license compatibility issues, and whether the updates adhere to organizational policies on allowed licenses or package sources. By evaluating these aspects up front, teams can avoid introducing vulnerable or non-compliant components into the codebase. This approach is PR-specific rather than scanning the entire repository after every merge, and it helps prevent risky dependency changes from slipping through by providing actionable signals to reviewers. It isn’t about generating an SBOM, and it doesn’t automatically block every dependency update; it flags issues so teams can decide on appropriate action before merging.