On September 27, 2023, we began blocking npm package publishes with differing name or version fields between the manifest and tarball package.json. This blocking protects against obfuscation. The different fields in the manifests have been assessed from a risk-based perspective. We will continue to analyze for other mismatches that can be blocked that won’t have adverse effects on the ecosystem. If a package is blocked, a user may receive an error message similar to “Package ‘version’ is “1.0.4”. It should match “1.0.3” from “package.json” in packaged tarball. Make all changes to package.json before packaging a tarball to publish.” In addition, a new tool, npm pkg fix, can help users fix any validation errors from the registry when they attempt to publish a package.
GitHub Advanced Security only consumes licenses for commits and pushes made after a repository is migrated to GitHub
GitHub Advanced Security now automatically only consumes licenses for commits and pushes made after a repository is migrated to GitHub, rather than considering all historic contributions from before the migration.
When a repository is migrated to GitHub, all historic commits are combined into a single push. This meant that when GitHub Advanced Security was enabled the repository would use licenses for all commits in that combined push, and so consume licenses for all historic commits. Previously this would be resolved manually, but this ship automates this work. GitHub Advanced Security now only uses licences for commits and pushes made after migration and does not consider legacy pushes that occurred in migrated repositories.
This has shipped to GitHub.com and will ship to GitHub Enterprise Server 3.12. Read more about billing for GitHub Advanced Security.
GitHub Enterprise and organization owners now have improved visibility into authentication activity via personal access token (classic), fine-grained personal access token (FGP), OAuth token, SSH key or deploy key. The audit log may now contain hashed renderings of the token or key used for authentication and the programmatic_access_type field describing the type of token/key used for authentication. Enterprise and organization owners can query by specific token or key to identify and track activity.
To learn more, read our documentation on identifying audit log events performed by an access token.