Changes and deprecation notice for npm replication APIs

We are making changes to npm replication APIs to optimize performance and availability. As part of this update, certain endpoints will be deprecated as of Thursday, May 29, 2025.

To facilitate a seamless transition, the new endpoints will be available starting Tuesday, March 18, 2025, operating in parallel with the existing endpoints. The existing endpoints will be fully deprecated on Thursday, May 29, 2025.

During the transition period, you may access the new endpoints by including the npm-replication-opt-in header with the value true in your requests. This option will be available from Tuesday, March 18, 2025 until the deprecation date, after which only the new endpoints will be available. Effective Thursday, May 29, 2025, the header will be ignored, and all requests will be directed to the new endpoints by default.

This notice is provided to ensure adequate time for necessary updates to replication implementations. We strongly encourage developers to migrate to the new endpoints as early as possible.

How to migrate?

To assist with migration, we have detailed documentation in our replication API migration community discussion, outlining alternative approaches for deprecated endpoints when available. This is the go-to place for questions and discussions.

Additional support for migration

If you have further questions or need additional assistance, please reach out to our support team.

Manage push protection bypass requests for secret scanning with the REST API

Push protection for secret scanning blocks any push that contains a secret. By default, this block can be bypassed, which results in a secret scanning alert in the repository. Delegated bypass controls let you choose who is allowed to bypass push protection, and contributors without permissions to bypass must submit a request for approval by the listed reviewers. These controls can reduce the risk of secrets being accidentally exposed in your codebase.

Managing bypass requests is now available with the REST API, offering flexibility for triaging and reviewing by integrating with your existing workflows.

Reviewers can retrieve bypass requests for an organization or repository with the following endpoints:

Reviewers can review a request and dismiss a response to a request with the following endpoints:

Learn more about how to secure your repositories with secret scanning and push protection.

See more

It is easier to track your progress with fixed code scanning CodeQL security alerts on the Security Overview page

Now it is easier to see how many of your historical CodeQL alerts received autofix suggestions and how many of those alerts were resolved across all the repositories in your organization.

Historical alerts are those found in your default and protected branches, indicating potential existing security issues in your code. You can stay informed about the progress of historical alert resolution and expediting this process as it is essential for accurately assessing your security risks.

Screenshot of total alerts fixed with an accepted autofix out of all with a suggested autofix.

The new “Alerts fixed with autofix suggestions” tile on the Security Overview provides you with the total number of fixed vulnerabilities compared to the total suggested autofixes for existing alerts. This will help you stay informed about the security trends in your organization.

Learn more about Copilot Autofix for CodeQL code scanning and security overview.

To leave feedback for Copilot Autofix for code scanning, join the discussion.

See more
View all changes