Dependabot helps users focus on the most important alerts by including EPSS scores that indicate likelihood of exploitation, now generally available

Dependabot alerts now feature the Exploit Prediction Scoring System (EPSS) from the global Forum of Incident Response and Security Teams (FIRST), helping you better assess vulnerability risks.

EPSS scores predict the likelihood of a vulnerability being exploited, with scores ranging from 0 to 1 (0 to 100%). Higher scores mean higher risk. We also show the EPSS score percentile, indicating how a vulnerability compares to others.

For example, a 90.534% EPSS score at the 95th percentile means:

  • 90.534% chance of exploitation in the next 30 days
  • 95% of other vulnerabilities are less likely to be exploited

You can use EPSS scores to help prioritize dependency vulnerabilities based on exploit likelihood.

This feature is available on GitHub.com today, and will be available in GitHub Enterprise Server staring with version 3.17.

Learn more in FIRST’s EPSS User Guide.
Join the discussion within GitHub Community.
Read more about viewing, sorting, and filtering Dependabot alerts in GitHub’s Dependabot docs.

Enhanced billing platform for Free plan for organizations

Starting February 4, 2025, new GitHub Free plan customers will gain access to the enhanced billing platform: a suite of new features designed to help administrators understand and manage GitHub spend for their organization.

Benefits of the new platform include:

  • Spend transparency: view usage for organizations, repositories, products, and SKUs by day, month, or year
  • Improved control: set budgets to limit spending and configure alerts to stay informed of budget utilization

Screenshot of the metered usage graph in the Mona-free-organization

What to expect

Existing Free plan customers will gain access to the enhanced billing platform in the coming months. You will be informed via email and an in-app banner on the billing page in advance of the transition.

Here are some things to know about the transition:

  • Once transitioned, a new Billing & Licensing section will appear in the enterprise account menu.
  • Spending limits will be migrated and renamed as budgets in the new billing platform. For more details about budgets, visit Preventing overspending.
  • While the new billing platform will not visually display historical usage, you will be able to download a usage report to get your pre-transition historical usage.

Other important changes

  • Git Large File Storage will transition from prepaid, quota-based data packs to a usage-based metered billing model. If you use Git Large File Storage today, you’ll receive credits for any unused data packs. For more information, visit “About enhanced billing for Git Large File Storage.”

Learn more

For more information, visit Using the enhanced billing platform for organizations.

See more

Announcing the General Availability of GitHub Copilot Extensions

Copilot Extensions GA

Your tools. Your workflows. All within Copilot Chat.

GitHub Copilot Extensions are now generally available for users across all Copilot license tiers. With Copilot Extensions, you can integrate and prompt your favorite tools directly in Copilot Chat using natural language wherever you develop, including Visual Studio Code, Visual Studio, JetBrains IDEs, and GitHub.com. Copilot Extensions on GitHub Mobile will be generally available in the coming weeks.

Copilot Extensions help you stay in your workflow, with context-aware assistance from your favorite tools right at your fingertips. Today’s marketplace is home to a wide range of extensions, from Perplexity to Stack Overflow, to Docker and Mermaid Chart. Developers can unlock productivity gains with extensions in minutes. For example, Arm’s extension streamlines cloud adoption and migration, enabling developers to build, test, and deploy software on Arm-based servers while seamlessly leveraging Arm’s efficient, scalable, and high-performance architecture.

Explore these extensions and more on the GitHub Marketplace to bring new contexts and capabilities into the chat. All you need is access to GitHub Copilot to get started. 🚀

Building GitHub Copilot Extensions

Our platform also empowers you to build your own public or private extension depending on your requirements. This flexibility allows you to develop extremely customized extensions for your enterprise or organization, or develop general applications that can serve thousands of developers. The comprehensive Copilot Extensions toolkit provides you with centralized code samples and tools to help you build high quality extensions.

Alongside General Availability, we’re introducing OpenID Connect (OIDC) support for builders. This replaces the X-Github-Token auth model with native third-party tokens, reducing API round trips, and improving security. Instead of verifying GitHub tokens on every request, integrators receive pre-exchanged tokens tailored to their system, enabling direct authentication and authorization. This lowers latency, simplifies identity mapping, and aligns with GitHub’s existing OIDC workflows for Actions.

Builders have several ways to develop customized extensions, including:

  • Copilot skillsets, a faster, lightweight implementation option
  • Context passing, a capability that helps extensions benefit from a user’s local editor context for more tailored responses

Ready to contribute to our growing ecosystem? Get started with our Copilot Extension builder docs.

👀 What’s next?

Our general availability is only the starting point for agentic capabilities. We’re continuing to reimagine AI assisted workflows, with recent releases like agent mode and explorations around Project Padawan. These innovations only scratch the surface of what is possible with GitHub and AI agents. Continue being a part of the conversation by providing feedback as you try out extensions. ⭐

See more
View all changes