Skip to content

GitHub Desktop makes force pushing and fetching easy and adds pull request comment notifications

GitHub Desktop 3.2.3 makes force pushing and fetching through the newly added fetch/pull dropdown menu items as well as adding pull request comment notifications. Since 3.2.1, GitHub Desktop has also released more than 30 accessibility improvements.

Force-pushing and Fetching

In GitHub Desktop 3.1.5, we added the ability to force-push and fetch to the Repository menu item when applicable. Now, when those menu items would be available, the pull/push/fetch button becomes a dropdown so users can easily force push or fetch.

Gif that shows a user pressing fetch to put the repository in a diverged state. Then, shows the user opening the new dropdown and force pushing their changes to overwrite the changes in the remote.

Pull Request Comment Notifications

If you have been enjoying our Pull Request notifications on your repositories, you will be happy to hear we have expanded those notifications to include when someone has commented on your pull request as well so that you can keep up to date on the latest conversations happening on your pull request.

Accessibility

GitHub Desktop is actively working to improve accessibility in support of GitHub's mission to be a home for all developers.

GitHub Desktop 3.2.1

  • Misattributed warning is announced in 'Git' preferences/options by screen readers – #16239
  • The Preferences/Options dialog content is still visible when zoomed at 200% – #16317
  • Up/down arrow can be used to navigate autocomplete lists like emoji again – #16044
  • Focus history and changes list when accessed via keyboard shortcut or menu – #16360
  • On Windows, app level menu bar and menu items are announced by screen readers – #16315
  • Keyboard shortcuts for resizing app sidebar and file lists – #16332
  • Misattributed commit popover does not clip when app is zoomed – #16407
  • Accessibility improvements for the co-authors input – #16335
  • Commit completion status is announced by screen readers – #16371, #16340
  • Improve accessibility of dialogs for screen reader users – #16350
  • Accessibility improvements for autocompletion suggestions – #16324
  • Learn more links are descriptive for screen readers – #16274
  • Popover titles are announced by screen readers – #16270
  • Show offset focus ring for buttons, vertical tabs etc – #16288
  • Application main menu on Windows doesn't clip when zoom is set to 200% – #16290
  • Button and text box contrast bumps – #16287
  • Other email input in "Git" preferences/Options and misattributed popover email select have a screen readable label – #16240
  • Add/remove co-authors button is now keyboard accessible – #16200

GitHub Desktop 3.2.3

  • NVDA reads number of suggestions when an autocompletion list shows up – #16526
  • The undo commit confirmation modal message is screen reader announced – #16472
  • Clipping and overlapping of the changes list is fixed at 200% zoom – #16425
  • The commit message avatar is now a toggle tip making the commit author details keyboard accessible – #16272
  • The commit length hint is keyboard and screen reader accessible – #16449
  • The changes list header checkbox tooltip description is announced by screen readers – #16457
  • The changes list header checkbox tooltip is keyboard accessible – #16487
  • Announce a file's state of inclusion in the commit on the changes list – #16420
  • Display focus ring around focused control after dismissing a dialog – #16528
  • Identify the changes list and history commit list as the changes and history tab panels for screen readers – #16463
  • Windows title bar controls do not interrupt screen readers in browse mode – #16483
  • Make radio theme selection look like radio buttons. – #16525
  • Improve accessibility of GitHub Enterprise login flow – #16567"
  • Screen readers announce sign in errors – #16556"

Automatic updates will roll out progressively, or you can download the latest GitHub Desktop here.

Dependabot alerts now automatically dismiss false positives for npm (public beta)

Starting today, Dependabot will be able to auto-dismiss npm alerts that have limited impact (e.g. long-running tests) or are unlikely to be exploitable. With this ship, Dependabot will cut false positives and reduce alert fatigue substantially.

On-by-default for public repositories, and opt-in for private repositories, this feature will result in 15% of low impact npm alerts being auto-dismissed moving forward – so you can focus on the alerts that matter, without worrying about the ones that don’t.

What’s changing?

When the feature is enabled, Dependabot will auto-dismiss certain types of vulnerabilities that are found in npm dependencies used in development (npm devDependency alerts with scope:development). This feature will help you proactively filter out false positives on development-scoped (non-production or runtime) alerts without compromising on high risk devDependency alerts.

Dependabot alerts auto-dismissal list view

Frequently asked questions

Why is GitHub making this change?

At GitHub, we’ve been thinking deeply about how to responsibly address long-running issues around alert fatigue and false positives. Rather than over-indexing on one criterion like reachability or dependency scope, we believe that a responsibly-designed solution should be able to detect and reason on a rich set of complex, contextual alert metadata.

That’s why, moving forward, we’re releasing a series of ships powered by an underlying, all-new, flexible and powerful alert rules engine. Today’s ship, our first application, leverages GitHub-curated vulnerability patterns to help proactively filter out false positive alerts.

Why auto-dismissal, rather than purely suppressing these alerts?

Auto-dismissing ensures any ignored alerts are 1) able to be reintroduced if alert metadata changes, 2) caught by existing reporting systems and workflows, and 3) extensible as a whole to future rules-based actions, where Dependabot can decision on subsets of alerts and do things like reopen for patch, open a Dependabot pull request, or even auto-merge if very risky.

How does GitHub identify and detect low impact alerts?

Auto-dismissed alerts match GitHub-curated vulnerability patterns. These patterns take into account contextual information about how you’re using the dependency and the level of risk they may pose to your repository. To learn more, see our documentation on covered classes of vulnerabilities.

How will this activity be reported?

Auto-dismissal activity is supported across webhooks, REST, GraphQL, and the audit log for Dependabot alerts. In addition, you can review your closed alert list with the resolution:auto-dismissed filter.

How will this experience look and feel?

Alerts identified as false positives will be automatically dismissed without a notification or new pull request, and appear as special timeline event. As these alerts are closed, you’ll still be able to review any auto-dismissed alerts with the resolution:auto-dismissed filter.

How do I reopen an automatically dismissed alert?

Like any manually dismissed alert, you can reopen an auto-dismissed alert from the alert list view or details page. This specific alert won’t be auto-dismissed again.

What happens if alert metadata changes or advisory information is withdrawn?

Dependabot recognizes and immediately responds to any changes to metadata which void auto-dismissal logic. For example, if you change the dependency scope and the alert no longer meets the criteria to be auto-dismissed, the alert will automatically reopen.

How can I enable or disable the feature?

This feature is on-by-default for public repositories and opt-in for private repositories. Repository admins can opt in or out from your Dependabot alerts settings in the Code Security page.

Is this feature available for enterprise?

Yes! In addition to all free repositories, this feature will ship immediately to GHEC and to GHES in version 3.10.

What’s next?

Next, we’ll expose our underlying engine – which enables Dependabot to perform actions based on a rich set of contextual alert metadata – so you can write your own custom rules to better manage your alerts, too.

How do I learn more?

How do I provide feedback?

Let us know what you think by providing feedback — we’re listening!

See more

Rootly is now a GitHub secret scanning partner

GitHub secret scanning protects users by searching repositories for known types of secrets. By identifying and flagging these secrets, our scans help prevent data leaks and fraud.

We have partnered with Rootly to scan for their tokens and help secure our mutual users on public repositories. Rootly tokens allow users to authenticate against the Rootly API and create incidents programmatically. GitHub will forward access tokens found in public repositories to Rootly, who will notify workspace owners and let them revoke token within a few seconds. You can read more information about Rootly tokens here.

GitHub Advanced Security customers can also scan for Rootly tokens and block them from entering their private and public repositories with push protection.

See more
View all changes