Sometimes, Dependabot security updates can't create a pull request for you because any update we could make would break the requirements of another package that you depend on. When this happens, Dependabot will now tell you the latest version of your package that you can install and the earliest version that contains the security fix. Soon, it will also tell you the name of the blocking package.
Webhooks configuration enhancements
We have updated how webhooks on repositories, organizations, and apps can be configured via the API. We have a new configuration resource for full or partial updates to any or all attributes of a webhook. The endpoint can also be used to read the configuration.
Also, webhooks now send a header with a SHA-256 hash of the request body if the webhook is configured with an HMAC key in the optional "secret" field. Developers verifying the authenticity of a webhook should use the SHA-256 signature because it is a more modern cryptographic hash function. SHA-1 is still retained for backwards compatibility with existing integrations, but should not be used for security purposes to verify cryptographic identity due to known collisions. See the documentation for the new delivery headers for more information.
API Generally Available
The GitHub Apps API for managing installations has now graduated from an API preview to a generally available API. The preview header is no longer required to access these endpoints.
IP Allow lists for Apps
Integrators can set an IP allow list for a GitHub App by adding individual IP addresses or address ranges for the hosted service. If an enterprise account or organization has enabled IP allow lists and chosen to allow installed GitHub Apps to configure allowed IPs, then the IP addresses provided for a GitHub App will be inherited by the customers allow lists.
Multiple Callback URLs
When configuring a GitHub App, the authorization callback URL is a required field. But now we allow the developer to specify multiple callback URLs. This can be used in services with multiple domains or subdomains. GitHub will always deny authorization if the callback URL from the request is not in the authorization callback URL list.
File Access without repository contents
Finally, GitHub Apps can request a permission that allows the app to access a single file in a repository. App developers are encouraged to use this permission rather than requesting access to all files in the repo. Based on feedback from developers, the permission has been updated to allow an app developer to specify up to 10 files for read-only or read-write access that their app can request access to.