Featuring Security Advisory Credits

Security researchers provide a critical service to developers by identifying vulnerable software, but unfortunately, many developers don't know the people behind this work.

GitHub Security Advisories allow developers to provide researchers with credit on their reported vulnerabilities, and these already make their way into the Advisory Database. This change adds Advisory credits into the researcher's GitHub profile, and to profile hovercards when viewed in the context of a security advisory.

Learn more about GitHub's Advisory Database

Learn more about disclosing vulnerabilities with Security Advisories

The "Compare two commits" REST API, which returns a list of commits reachable from one commit (or branch) but not reachable from another, now supports pagination. It can also now return the results for comparisons over 250 commits.

To learn more, see the compare two commits API reference or the guide for using pagination.

See more

To prevent unexpected changes from potentially slipping in after auto-merge is enabled on a pull request, auto-merge is now disabled automatically when new changes are pushed by a user without write access to the repository.

Note: users without write access can still update their pull requests to bring in changes from the base branch without having auto-merge disabled, but auto-merge will be disabled if the update results in merge conflicts that have to be resolved. This is to prevent merge-conflicts being deliberately used as a way to introduce code that hasn't been fully reviewed by the people with write access to the project.

Learn more about automatically merging pull requests when all merge requirements have been met.

See more