Skip to content

Dependabot alerts paused for malware advisories

On June 15th, we announced GitHub added malware advisories to the GitHub Advisory Database and will send malware alerts through Dependabot. Since shipping this change, we have received feedback that some organizations have been impacted with Dependabot alerts from these malware advisories that may be false positives.

GitHub has conducted a rapid root cause investigation and found that the majority of those alerts in question were for substitution attacks. During these types of incidents, an attacker would publish a package to the public registry with the same name as a dependency users rely on from a third party or private registry, in the hope a malicious version would be consumed. Dependabot doesn’t look at project configuration to determine if the packages are coming from a private registry, so it has been triggering an alert for packages with the same name from the public npm registry. While this does mean that your package was the target of a substitution attack it does not mean that there is an immediate action to be taken on your part as the malware has already been removed from the npm registry.

While we work to determine how to best notify customers of being the target of a substitution attack, we will be pausing all Dependabot notifications on malware advisories. For non-Enterprise-Server users, Malware advisories will still exist in the Advisory Database and send alerts on npm audit. We are not making any changes to existing alerts on github.com at this time.

For GitHub Enterprise Server users, who were the most impacted, no new advisories will come through GitHub Connect. If you are struggling with too many alerts, please reach out to support and we can share a script for you to run that will delete all malware advisories and alerts.

Previously, when creating an autolink reference for a repository, you could only use a numeric identifier in the <num> parameter. This format didn't support integration with platforms that use alphanumeric identifiers, like the last segment of this Trello card URL: https://trello.com/c/3eZr2Bxw. Now you can create an autolink with an alphanumeric identifier.

Any previously created autolinks will continue to support only numeric identifiers so that they continue working as before. Only newly created autolinks will support alphanumeric identifiers.

Autolinks are available in repositories with GitHub Pro, GitHub Team, GitHub Enterprise Cloud, and GitHub Enterprise Server. For more information, see GitHub's products.

Learn more about autolinks at Configure autolinks in the GitHub documentation. We appreciate feedback on this and other topics in GitHub's public feedback discussions.

See more

Changelog_Issues_Jun30_Cover

📊 Expanding access to charts for all plans

We are expanding our Insights capabilities to all plans! Charts help you visualize and track cycle velocity, current work status, and complex visualizations like Cumulative Flow Diagrams.

Starting today, all projects (beta) users can access custom current charts! Head over to the Insights tab for your projects to try it out and don't forget to share feedback!

We're also expanding access to time-based charts to allow organizations to visualize trends over time. Time-based charts are enabled for all Enterprise Cloud organizations and existing Team organizations with at least one project. Team organizations that have not used projects (beta) will be onboarded over the next couple of weeks.

Thank you for all of your feedback during the alpha and we hope you'll continue to share your thoughts with us on Discussions.

✨ Bug fixes & improvements

Other changes include:

  • File uploads now support both .webm and .tgz file types.
  • Unsaved view changes are persisted across page refreshes.

See how to use GitHub for project planning with GitHub Issues, check out what's on the roadmap, and learn more in the docs.

See more