Automatically submit your Maven transitive dependencies to the dependency graph

July 29, 2024

To create a comprehensive model of the dependencies in a Maven project, it is essential to understand the the transitive dependencies that are resolved at build-time. This feature automatically performs build-time resolution of Maven dependencies and submits them to the dependency graph. This improves visibility into your project’s composition by including both the direct and transitive dependencies in your repository’s dependency graph and Dependabot alerts.

When you enable this feature, GitHub will monitor changes to the pom.xml file in the root of all branches of the repository, discover the dependencies referenced in this file, and automatically submit details about them to the dependency graph. This feature requires GitHub Actions, and it is compatible with both GitHub-hosted or self-hosted runners.

See the documentation to learn more about how to enable automatic dependency submission to help you secure your software supply chain.

CodeQL 2.18.1: Kotlin & Swift mobile support is generally available, TypeScript 5.5 support, C# build-mode: none public beta

July 26, 2024

CodeQL is the static analysis engine that powers GitHub code scanning. CodeQL version 2.18.1 has been released and has now been rolled out to code scanning users on GitHub.com.

Important changes by version include:

For CodeQL 2.17.6:
- C# can now use build-mode: none, which allows scanning C# code without requiring working builds.
For CodeQL 2.18.0:
- Support for TypeScript 5.5.
For CodeQL 2.18.1:
- Kotlin & Swift support for mobile applications is now generally available.
- Java build-mode: none analyses now only report a warning on the tool status page when significant analysis problems are detected.
- Two new JavaScript queries js/functionality-from-untrusted-domain has been added to detect usage of scripts from untrusted domains, including polyfill.io content delivery network and js/insecure-helmet-configuration to detect instances where important Helmet security features are disabled.
- The precision of cpp/iterator-to-expired-container & cpp/unsafe-strncat have been increased to high. They have been moved to the default query suite.

For a full list of changes, please refer to the complete changelog for versions 2.17.6, 2.18.0, and 2.18.1. All new functionality will be included in GHES 3.15. Users of GHES 3.14 or older can upgrade their CodeQL version.

See more See more

Copilot Enterprise Mixed Licensing beta

July 26, 2024

Today, we’re introducing the beta for Copilot Enterprise Mixed Licensing within an enterprise. This grants GitHub Enterprise Cloud customers greater flexibility in selecting the best Copilot plans for their needs. Now, you can set a Copilot plan at the organization level instead of at the enterprise level.

Try it out now

To update an organization’s Copilot plan, an Enterprise Admin should navigate to Copilot Settings for the enterprise and select the desired plan via the dropdown menu for each organization.

Enterprise Mixed Licensing Dropdown Menu

Learn more about Copilot Enterprise Mixed Licensing in our documentation here and let us know what you think via Discussions.

See more See more

View all changes