Skip to content

Dependabot: version updates from private GitHub repositories

Dependabot already updates your public dependencies, such as open source dependencies from a public GitHub repository, npm, Maven Central, or similar. Now, you can also update dependencies from private GitHub repositories. This feature is available for most package managers supported by Dependabot version updates, except bundler, hex, and pip.

To get started, grant Dependabot access to some or all of your private repositories on your organization's security & analysis settings page:

Learn more about Dependabot version updates

READMEs for npm packages on are now rendered using GitHub Flavored Markdown. was using a custom markdown renderer not fully compatible with GitHub Flavored Markdown. This difference meant a README displayed on did not necessarily match the README displayed on GitHub. Aligning to use the GitHub Flavored Markdown renderer ensures that your README is rendered the same on both sites.

All newly published packages are now rendered with GitHub Flavored Markdown; packages previously published to will be re-rendered over time.

See more
The Meta API endpoint previously contained MD5 signatures for GitHub’s SSH public keys. We have now deprecated these in favor of the newer SHA-256 fingerprints. Developers verifying the authenticity of GitHub’s keys should use the SHA-256 signature because it is a more modern cryptographic hash function. MD5 should not be used for security purposes to verify cryptographic identity, due to known collisions.


If your app dynamically fetches the MD5_RSA and MD5_DSA fields, please ensure that you have migrated to the SHA256_RSA and SHA256_DSA fingerprints. The old fingerprints are reprinted below, if static copies are needed for migration purposes. If your app doesn’t use the MD5_RSA and MD5_DSA fields, then your app will be unaffected by this change.


"MD5_RSA": "16:27:ac:a5:76:28:2d:36:63:1b:56:4d:eb:df:a6:48"
"MD5_DSA": "ad:1c:08:a4:40:e3:6f:9c:f5:66:26:5d:4b:33:5d:8c"
See more