Dependency graph removes go.sum support

Dependency graph no longer ingests go.sum files for Go repositories, and Dependabot no longer alerts on vulnerabilities for dependencies found in go.sum files. Dependencies previously ingested from go.sum files have been removed from the dependency graph for all repositories on github.com.

go.sum files are not lock files but a log of all packages downloaded by Go when building a project. They may include multiple versions of a dependency, which may result in false positive Dependabot alerts for a vulnerable version that isn't actually used in the project.

Dependency graph continues to support go.mod files, the recommended format for Go projects. Use Go 1.17 or higher to ensure your go.mod file is a comprehensive view of all direct and transitive dependencies.

Learn more about the dependency graph

GitHub Octernships: a path for students for a thriving tech career

We are excited to announce the launch of GitHub Octernships! Students represent the next generation of developers and GitHub Education is here to nurture this talent, equip them with the skills they need to drive future software innovation.

GitHub Octernships is initially starting for students in 10 countries, including India, Singapore, Indonesia, Malaysia, Vietnam, Philippines, Thailand, Mexico, Nigeria, and Colombia, and will gradually expand to more regions over time.

To apply, you need to be verified on Global Campus, be an active contributor on GitHub, and keep an eye out for new projects that we’ll be posting on Octernships all year round.

image

Checkout the blog to learn more. These changes will be gradually rolling out over the next few days. Have any questions or feedback, connect with us @ Octernships Discussion

Not yet verified? What are you waiting for? Join GitHub Global Campus.

See more

Secret scanning changes coming to how you opt-in to alert notifications

We are changing how you receive notifications of secret scanning alerts. Previously, to receive secret scanning alert notifications, you had to watch a repository with "All activity" or "Security alerts" and enable Dependabot email alerts to receive notifications.

Beginning March 16, here are the steps you need to take to continue to receive notifications from secret scanning:

  1. (No change required) Watch repositories of interest by choosing "All activity" or "Security alerts". This help you choose what events GitHub will notify you about.
  2. (Action needed) In your user notification settings, choose "Email" in the "Watching" section. This tells GitHub how to notify you. Secret scanning only supports email notifications at this time.

watching settings

See more
View all changes