Fixed bug affecting npm package and organization maintainers

GitHub Security was recently notified about a caching issue affecting npm. This bug had been present since 2016 and sporadically caused npm maintainers to be re-invited upon removal from packages or organizations. Our Security team investigated potential instances of the issue and believe this bug only occurred if a user was removed, followed shortly by the addition of a different member. This bug affected npm-cli version 6 and above, and was fixed in version 7+.

Out of an abundance of caution, we are recommending all npm users review the maintainers of their projects and organizations for any discrepancies that may be a result of this bug and remove any unexpected members. Please feel free to reach out to us with any additional questions or concerns through the following contact form: https://www.npmjs.com/support.

The GitHub Packages NuGet registry now runs on a new architecture, unlocking great new capabilities:

Publishing packages at organization level with GitHub Packages

Previously, NuGet packages published to GitHub Packages were closely coupled to their repositories. Now packages can be published at an organization level. They can still be linked to a repository at any time, if needed.

Learn more about connecting a repository to a package.

Fine grained permissions for NuGet packages published to GitHub Packages

You can now configure Actions and Codespaces repository access on the package's settings page, or invite other users to access the package. Additionally, NuGet packages published to GitHub Packages can still be configured to automatically inherit all permissions from a linked repository.

Learn more about configuring a package's access control.

Internal visibility

In addition to public and private, a package's visibility can now also be set to internal. It is then visible for all members of the GitHub organization.


These new features are now available to all users on github.com.

Read more about working with the GitHub NuGet registry

We appreciate your feedback on these new changes in GitHub's public community discussions!

See more

We've shipped improvements to the billing pages for GitHub Advanced Security so it is easier for you to see how many licenses you are using.

  • You can now see how enterprises and organizations are using licenses in the summary tiles.
  • You can download a CSV report for each item in the billing table so it is easier to report on license usage.
  • For enterprises, the table is sorted by the number of unique committers in each organization, so it is easy to see where GitHub Advanced Security licenses are used.
  • If an organization chooses to disable GitHub Advanced Security on a repository, the confirmation popup now informs you how this would impact your overall licenses usage.

Enterprise and Organisation GitHub Advanced Security usage

This is available on the GitHub Advanced Security section on the enterprise's billing settings page enterprise-name/settings/billing and the organization's code security and analysis settings page organization-name/settings/security_analysis.

This has shipped to GitHub.com and will be available in GitHub Enterprise Server 3.9. Learn more about the GitHub Advanced Security billing.

See more