Dependency Discovery

Sttor identifies dependencies by reading common manifests/lockfiles and building an inventory per repo + branch. The goal is to be accurate (what you actually ship) and actionable (what to upgrade first).

What discovery typically includes:

• Direct dependencies (declared by you)
• Transitive dependencies (pulled in by direct deps)
• Version pinning (exact versions from lockfiles where available)
• Per-branch inventory (so each branch can have its own dependency graph and SBOM)

Common outputs you’ll see:

• Dependency list and graph (direct + transitive)
• Introduced in context (e.g., which PR/commit/branch brought a dependency)
• Upgrade path hints (safe versions / recommended upgrades)