Skip to content

npm signature verification using PGP keys is now deprecated.

In July 2022 the public npm registry migrated away from the existing PGP signatures to a new ECDSA signatures for signature verification.

PGP based registry signatures will be deprecated on March 31st 2023. This means no new packages will be signed with PGP keys from this date onwards and the public key hosted on Keybase will expire.

Read more about registry signatures.

GitHub Actions workflows often specify the version of an action using the commit SHA. Since commit SHAs are immutable, this ensures that Actions always picks the same version. Commit SHAs, however, are not very human friendly, so best practice is to include the semver version in a comment next to the SHA. Dependabot will now update the semver version in comments when updating Actions workflows with a commit SHA version.

Dependabot is open source, and we're thankful to first-time contributor @jproberts for this great addition!

Learn more about Dependabot

See more

GitHub Enterprise Cloud customers that use Enterprise Managed Users (EMUs) can now participate in a private beta for a new user role that has restricted visibility of internal repositories. This role helps companies to work with contractors and collaborators in a flexible and managed fashion on specific projects, while also sharing code and ideas without restrictions amongst employees.

Users are granted this new role by being marked as "Restricted Users" in your identity provider. Enterprise members granted this role can be added to Organizations as members, and added to Organization teams – but they won't be able to see internal repositories in other Organizations unless explicitly added to those repositories one-by-one.

If you would like to enroll your EMU enterprise in this private beta, please reach out to your account team or contact our sales team for more details.

See more