Security advisories now have multiple types of credits

You can now designate different types of credits to users who contribute to GitHub security advisories.

These new credit types mirror those in the CVE 5.0 schema:

  • finder
  • reporter
  • analyst
  • coordinator
  • remediation developer
  • remediation reviewer
  • remediation verifier
  • tool
  • sponsor
  • other

Going forward, GitHub will automatically apply the the reporter credit type to anyone credited after submitting a private vulnerability report and the analyst type to anyone credited after submitting an edit to the global Advisory Database. We've also retroactively applied those labels to previously credited individuals who took those actions.

Further reading:

Custom repository roles API GA and breaking change

The Custom Repository Roles REST API has moved to general availability, with a breaking change to the path used.
Previously, the API was found at /orgs/{org}/custom_roles – it has been moved to /orgs/{org}/custom-repository-roles. With organization-level custom roles in progress, we found that the custom_roles path was wasn't specific enough and could generate confusion.
The deprecated beta API will be removed from api.github.com in 6 months, on September 7th, 2023.
On GitHub Enterprise Server, the API will be available at its new path in version 3.9. The previous API to list roles was added in GHES 3.4, and will be removed with the next API version.

To learn more about custom repository roles, see "About custom repository roles" and "Custom repository roles REST API".

See more

Dependency graph removes go.sum support

Dependency graph no longer ingests go.sum files for Go repositories, and Dependabot no longer alerts on vulnerabilities for dependencies found in go.sum files. Dependencies previously ingested from go.sum files have been removed from the dependency graph for all repositories on github.com.

go.sum files are not lock files but a log of all packages downloaded by Go when building a project. They may include multiple versions of a dependency, which may result in false positive Dependabot alerts for a vulnerable version that isn't actually used in the project.

Dependency graph continues to support go.mod files, the recommended format for Go projects. Use Go 1.17 or higher to ensure your go.mod file is a comprehensive view of all direct and transitive dependencies.

Learn more about the dependency graph

See more
View all changes