Want to better understand how GitHub’s dependency graph works? By parsing your repository’s manifest and lockfiles, it identifies all upstream dependencies and public downstream dependents of a repository or package.
https://github.blog/2020-08-04-secure-at-every-step-how-githubs-dependency-graph-is-generated/