Fixed bug that allowed a hovercard URL to be used to display the name, description, and star count of any repository

On March 30, 2023, we fixed a bug that allowed a dependency graph hovercard URL to be used to retrieve the name, description, and star count of any repository on GitHub.com. The bug was introduced on March 28, 2023 and our investigation has found no evidence of exploitation. To exploit the bug, a specific header needed to be set when making a request to the URL and the numeric ID of a repository provided. The URL would then return the HTML content designed to be used for a hovercard UI element with the repository name, description, and star count in the response.

This bug was reported to GitHub via the GitHub Bug Bounty program.

Since the introduction of Category Sections to organize content in our own community, users have asked for similar features to organize their own Discussions. Today, we're introducing the ability for all maintainers to group their Discussion categories into sections. We think this will help users better organize content, and also find new content more easily.
Screenshot 2023-04-17 at 8 28 12 AM

The UI for this feature looks similar to the one in our own community, but users will now see a new UI when they edit a category. Users can not only create a new Category, but they can also create a new section from the "Manage Discussion Categories" page.
Screenshot 2023-04-17 at 8 30 22 AM

Editing a single category now also gives the user the option of adding it to an existing section.
Screenshot 2023-04-17 at 8 31 41 AM

For questions or feedback, please visit our community.

See more

Available in public beta today, the security coverage page now includes multi-repository enablement, which lets you enable or disable security features across several repositories at once. This feature improves upon the “enable all” feature that only allows you to enable one security feature at a time for all repositories within the organization.

Multi-repository enablement also allows you to filter repositories based on attributes such as team or repository topic, and to enable or disable security features for only those repositories in just a few clicks.

 

multi-repository enablement panel on security coverage page

The following security features can be enabled/disabled using multi-repository enablement:

  • Dependency graph
  • Dependabot alerts
  • Dependabot security updates
  • GitHub Advanced Security
  • Code scanning default setup
  • Secret scanning
  • Push protection

These improvements have shipped as a public beta to GitHub.com and will be available in GitHub Enterprise Server 3.10.

Learn more about multi-repository enablement and send us your feedback

Learn more about GitHub Advanced Security

See more