Skip to content

Security overview’s team filter now includes repositories with write privileges

In security overview, when you select a team from the Team dropdown or filter by team in either the security risk or the security coverage views, results include repositories where the team has write privileges. Previously, results only included repositories where the team had admin privileges or had been granted access to security alerts.

This has shipped to GitHub.com and will be available in GitHub Enterprise Server 3.9.

Learn more about the team filter and send us your feedback

Learn more about GitHub Advanced Security

GitHub Issues – January 12th update

Today’s Changelog brings you the addition of project events to Issue and Pull Request timelines, Issue forms for private repositories, and more!

👀 Project events in item timelines (Public Beta)

Actions related to adding and deleting Issues or Pull Requests from a project or changing the status of an Issue or Pull Request inside a project are now included as part of the items timeline alongside existing events.
image

📝 Issue forms for private repositories (Public Beta)

Previously we released Issue forms for public repositories, helping maintainers provide more context on the information useful to them.

Today we are releasing Issue forms for private repositories. Issue forms for private repositories use the same YAML syntax as public repositories but do not support required fields, helping to keep your issue creation process streamlined.
image

✨ Bug fixes and improvements

  • Added a note that closing a project will disable all associated workflows
  • Added a tooltip text over the unsaved view indicator
  • Accessibility improvements in the project settings pages

See how to use GitHub for project planning with GitHub Issues, check out what's on the roadmap, and learn more in the docs.

See more

Dependabot pull requests pause for inactivity

What’s new?

Starting today, Dependabot will pause automated pull request activity if you haven’t merged, closed, or otherwise interacted with Dependabot for over 90 days. To resume activity when you’re ready, simply interact with Dependabot.

This change will help Dependabot be more focused to the repositories you care about.

When will Dependabot become paused?

This change only applies to repositories where Dependabot pull requests exist but remain untouched. If no Dependabot pull requests have been opened, Dependabot will never become paused.

The following must be true for at least 90 days:

  • Has not had a Dependabot PR merged
  • Has not had changes made to the Dependabot config file
  • Has not had any @dependabot comment-ops performed
  • Has not had any Dependabot PRs closed by the user
  • Has received at least one Dependabot PR before the 90 day window
  • Has at least one Dependabot PR open at the end of the 90 day window
  • Has had Dependabot enabled for this entire period

How will Dependabot let me know?

Dependabot will add a banner notice to open Dependabot pull requests, the repository settings page (under “Dependabot”) as well as your Dependabot alerts page (if Dependabot security updates are affected).

Who can use this feature?

This change does not apply to Dependabot alerts or subsequent notifications. So, only repositories that have automated Dependabot version updates or security updates, but haven’t interacted with these pull requests for a while, will be affected.

This change will start to roll out today, expanding through January 2023 to include all repositories owned by individuals and by organizations with free and Team plans.

Later, it will roll out to GitHub Enterprise Cloud and GitHub Enterprise Server customers, where this improvement has the added benefit of enhanced efficiency with your self-hosted GitHub Actions runners.

Learn more about this change.

See more
View all changes