How not to use GitHub Dependency graph

1 min read

Everyone could display themselves on any popular product page on GitHub. Probably, the team should do something with this.

First of all, the Dependency graph is a list of packages used by your project. 

List of packages required by

Then, the product's "Used By" section will contain a list of dependent repos.

Repos which use Editor.js

And this is a field for tricks and abusing the function. Everyone can display themselves on the page of a popular product. It is obvious but all you need to do is just to add some product as your dependency. GitHub fetches lock files for popular package managers and links them automatically.


I've created an almost empty repo with lock files created by the Go manager:

go mod init go get

And here is it — you can see my repo mentioned on the main page of the Telegram Desktop project. I guess owners of Telegram wouldn't want to see me alone in that block on their product's page.

You can read more information about the dependency graph on GitHub's docs page.


Seems like the "Used By" section could be abused by everyone in the current implementation. The owner of a product won't be able to hide this block or remove some dependants from here.

I think GitHub should allow hiding this block via the Repository Settings.