beta

Subscribe to all “beta” posts via RSS or follow GitHub Changelog on Twitter to stay updated on everything we ship.

~ cd github-changelog
~/github-changelog|main git log main
showing all changes successfully

Dependabot alerts now automatically dismiss false positives for npm (public beta)

Starting today, Dependabot will be able to auto-dismiss npm alerts that have limited impact (e.g. long-running tests) or are unlikely to be exploitable. With this ship, Dependabot will cut false positives and reduce alert fatigue substantially.

On-by-default for public repositories, and opt-in for private repositories, this feature will result in 15% of low impact npm alerts being auto-dismissed moving forward – so you can focus on the alerts that matter, without worrying about the ones that don’t.

What’s changing?

When the feature is enabled, Dependabot will auto-dismiss certain types of vulnerabilities that are found in npm dependencies used in development (npm devDependency alerts with scope:development). This feature will help you proactively filter out false positives on development-scoped (non-production or runtime) alerts without compromising on high risk devDependency alerts.

Dependabot alerts auto-dismissal list view

Frequently asked questions

Why is GitHub making this change?

At GitHub, we’ve been thinking deeply about how to responsibly address long-running issues around alert fatigue and false positives. Rather than over-indexing on one criterion like reachability or dependency scope, we believe that a responsibly-designed solution should be able to detect and reason on a rich set of complex, contextual alert metadata.

That’s why, moving forward, we’re releasing a series of ships powered by an underlying, all-new, flexible and powerful alert rules engine. Today’s ship, our first application, leverages GitHub-curated vulnerability patterns to help proactively filter out false positive alerts.

Why auto-dismissal, rather than purely suppressing these alerts?

Auto-dismissing ensures any ignored alerts are 1) able to be reintroduced if alert metadata changes, 2) caught by existing reporting systems and workflows, and 3) extensible as a whole to future rules-based actions, where Dependabot can decision on subsets of alerts and do things like reopen for patch, open a Dependabot pull request, or even auto-merge if very risky.

How does GitHub identify and detect low impact alerts?

Auto-dismissed alerts match GitHub-curated vulnerability patterns. These patterns take into account contextual information about how you’re using the dependency and the level of risk they may pose to your repository. To learn more, see our documentation on covered classes of vulnerabilities.

How will this activity be reported?

Auto-dismissal activity is supported across webhooks, REST, GraphQL, and the audit log for Dependabot alerts. In addition, you can review your closed alert list with the resolution:auto-dismissed filter.

How will this experience look and feel?

Alerts identified as false positives will be automatically dismissed without a notification or new pull request, and appear as special timeline event. As these alerts are closed, you’ll still be able to review any auto-dismissed alerts with the resolution:auto-dismissed filter.

How do I reopen an automatically dismissed alert?

Like any manually dismissed alert, you can reopen an auto-dismissed alert from the alert list view or details page. This specific alert won’t be auto-dismissed again.

What happens if alert metadata changes or advisory information is withdrawn?

Dependabot recognizes and immediately responds to any changes to metadata which void auto-dismissal logic. For example, if you change the dependency scope and the alert no longer meets the criteria to be auto-dismissed, the alert will automatically reopen.

How can I enable or disable the feature?

This feature is on-by-default for public repositories and opt-in for private repositories. Repository admins can opt in or out from your Dependabot alerts settings in the Code Security page.

Is this feature available for enterprise?

Yes! In addition to all free repositories, this feature will ship immediately to GHEC and to GHES in version 3.10.

What’s next?

Next, we’ll expose our underlying engine – which enables Dependabot to perform actions based on a rich set of contextual alert metadata – so you can write your own custom rules to better manage your alerts, too.

How do I learn more?

How do I provide feedback?

Let us know what you think by providing feedback — we’re listening!

See more

Codespaces support for JetBrains Rider (Beta)

The GitHub Codespaces plugin for the JetBrains Gateway now supports Rider as a remote IDE. .NET developers can now leverage the standardization and power of GitHub Codespaces with JetBrains Rider's singular code indexing, navigation, and debugging capabilities.

JetBrains Rider in Gateway

GitHub Codespaces support for Rider enables multiple solution file scenarios. If there is only one solution file in a given codespace, the GitHub Codespaces plugin will automatically select that solution file. If there are multiple, the plugin will prompt the user to select which solution file they intend to use to open their project. Repositories without solution files are still compatible with Rider, however some features will be limited when no solution file is selected.

Rider solution file picker

To get started with Rider, follow the documentation for installing GitHub Codespaces into the JetBrains Gateway. Once installed, users can connect to any of their existing codespaces with Rider as their selected IDE.

We are extremely excited to deliver our top requested feature since the beta announcement of JetBrains support in GitHub Codespaces.

Additional Resources:

See more

Risk and coverage views on the Security tab for organizations (public beta)

Security overview’s new risk and coverage views provide greater visibility into your security posture and risk analysis.

Each new view offers a refreshed design with several key improvements, including insights and dynamic filtering.

Coverage view

The coverage view gives visibility into enablement across all repositories. On the coverage view, you can:

  • See counts and percentages of repositories with GitHub security features enabled or disabled, which update when you apply filters
  • Track enablement for additional security features, including secret scanning push protection, Dependabot security updates, and code scanning pull request alerts.

security-tab-coverage-page

Risk view

The coverage view is complimented by a new risk view that gives visibility into all alerts across these repositories.
On the risk view, you can:

  • See counts and percentages of repositories with security vulnerabilities, which also update when you apply filters
  • See open alerts segmented by severity for both Dependabot and code scanning.

security-tab-risk-page

Both views are now available as a public beta. In the coming weeks, we will deprecate the overview in favor of these two new views.

Learn more about the new risk and coverage views and send us your feedback

See more

GitHub Codespaces with JetBrains IDEs (Public Beta)

GitHub now supports the use of GitHub Codespaces with JetBrains IDEs via the JetBrains Gateway. After downloading the JetBrains Gateway and installing the GitHub Codespaces plugin, users will be able to connect to their codespaces with the JetBrains IDE of their choice.

jb-gateway

Once connected, users can leverage the full power of JetBrains' IDEs in the cloud: fast, accurate code completion; integrated run and debug configurations; and unparalleled code navigation tools. Rather than needing to install each IDE on a developer machine, using GitHub Codespaces with JetBrains IDEs enables the use of any JetBrains IDEs in the cloud.

jetbrains-image

The beta supports connectivity to a codespace, private port forwarding, and a fully featured code editing experience in the following IDEs:

  • IntelliJ IDEA
  • PyCharm
  • WebStorm
  • GoLand
  • RubyMine
  • PHPStorm

Additional IDE support, codespace management tools (e.g. creation, deletion, changing the machine type), and better support for Development Container creation will be added as the beta progresses.

In order to connect to a codespace via the JetBrains Gateway, users will need the following:

Check out the documentation to learn more and get started.
For feedback or questions, create an issue in this repository and we will get back to you.

See more

Using Codespaces with JupyterLab (Public Beta)

GitHub is excited to announce support for using GitHub Codespaces with JupyterLab. JupyterLab is the next-generation user interface for Project Jupyter offering all the familiar building blocks of the classic Jupyter Notebook (notebook, terminal, text editor, file browser, rich outputs, etc.) in a flexible and powerful user interface.

JupyterLab in a Codespace

Using GitHub Codespaces with JupyterLab combines the delightful notebook editing, data exploration, and narrative building experiences of JupyterLab with the power, standardization, and simplicity of a codespace.

You can open any codespace in JupyterLab via the repository page or the GitHub CLI:

open in JupyterLab examples

You can also set JupyterLab as your preferred editor, enabling single click access to codespaces via JupyterLab:

set JupyterLab as default editor

JupyterLab support is even more powerful when combined with GPU-powered codespaces. Though GPU access is not yet generally available, you can request early access here.

Click here to learn more about GitHub Codespaces support for Machine Learning and AI, or jump straight into our template repository and try it out!

See more

View code scanning alerts across your enterprise (Public Beta)

GitHub Advanced Security customers can now see an overview of code scanning alerts at the enterprise level. This page provides a repo-centric view of application security risks, as well as an alert-centric view of all secret scanning, Dependabot and now code scanning alerts. This view is beta and will be followed in the coming weeks with an enterprise level REST API to retrieve code scanning alerts.

Code scanning alerts at the enterprise level

Learn more about security overview
Learn more about GitHub Advanced Security

See more

View Dependabot alerts across the enterprise

GitHub Advanced Security customers can now see an overview of Dependabot alerts at the enterprise level. This page provides a repo-centric view of application security risks, as well as an alert-centric view of all secret scanning and now Dependabot alerts. The views are in beta and will be followed in the coming months by alert-centric views for code scanning.

Dependabot alerts at the enterprise level

Learn more about security overview
Learn more about GitHub Advanced Security

See more

Security overview for enterprise in beta

GitHub Advanced Security customers can now view an overview of security alerts at the enterprise level. The new "Security" tab at the enterprise level provides a repo-centric view of application security risks, as well as an alert-centric view of all secret scanning alerts. Both views are in beta, and will be followed in the coming months by alert-centric views for code scanning and Dependabot alerts.

Security overview at the enterprise level

Learn more about security overview
Learn more about GitHub Advanced Security

See more

Introducing the organization-level security manager role

Organizations can now grant teams permission to manage security alerts and settings on all their repositories. The "security manager" role can be applied to any team and grants the team's members the following permissions:

  • Read access on all repositories in the organization
  • Write access on all security alerts in the organization
  • Access to the organization-level security tab
  • Write access on security settings at the organization level
  • Write access on security settings at the repository level

Security manager configuration

Learn more about the security manager role

See more

Issues forms beta for public repositories

Issues submitted to open source projects often lack important information. Markdown issue templates can help by providing text that contributors can remove and replace with their own input – but sometimes contributors can miss details or get confused.

New, YAML configured issue forms enable maintainers to build structured forms with required fields and easy-to-follow steps so that they can capture every important detail.

User submits an issue via issue forms.

Issue forms are now available in beta for all publicly accessible repositories.

Learn more about issue forms and send us your feedback.

See more

What’s new with GitHub Issues

GitHub Issues banner image

Today we are announcing new beta features within GitHub Issues, with better ways to plan, track, and manage projects.

Read more on the GitHub Issues page or in the FAQ.

✨ NEW – Project planning for developers

Available in limited public beta

Built like a spreadsheet, project tables give you a live canvas to filter, sort, and group issues and pull requests. Tailor them to your needs with custom fields and saved views. Sign up for the beta now.

  • Prioritize your work across repositories with a new spreadsheet-like table
  • Extend issues with custom fields with support for text, number, date and single-select types
  • Change custom field values right from the issues sidebar
  • Filter, sort, and group by any field
  • Instantly switch between project tables and boards
  • Save your view options to share with your team
  • Build custom workflows with a GraphQL API to access project issues and metadata
  • Use cmd + k to bring up a command palette that lets you filter, sort, group, and manage views

✨ NEW – Break issues into actionable tasks

Available in public beta

When lists of tasks are created in markdown and referenced in another issue, this will now create a dynamic relationship that helps you break down your work and track it to completion. Convert text into issues quickly after brainstorming ideas with your team, and stay up to date on progress now that tracked issues are automatically checked off when closed.

  • Create task lists of issues and pull requests
  • Quickly convert text into issues
  • Track status of tasks with progress indicators
  • See which issues another issue is being tracked in
  • Automatically update the status of a task when the tracked issue is closed

View the progress of your issues and see how work is related with task lists

📣 Got feedback?

Join our feedback community and let us know how we can improve.

See more

Security overview for organizations and teams in beta

The new security overview for organizations and teams – which provides a high-level view of the application security risks a GitHub organization is exposed to – is now in beta for all GitHub Advanced Security customers on GitHub Enterprise Cloud.

Security overview

With the new security overview GitHub Advanced Security customers now have a single place to see the application security risks detected by code scanning, Dependabot, and secret scanning. The security overview shows both these known security risks as well as where you have unknown risks because security features haven’t been configured.

Learn more about security overview
Learn more about GitHub Advanced Security

See more

Dependency review now supports filtering and commit diffs

Dependency review, in beta, helps you review dependency changes in your pull requests. But how do you find your package manifests amongst all the other files? Now you can filter the files in pull requests to see just the package manifests:

Screenshot of pull request manifest filter

What if you don’t have a pull request at all? Now you can review dependency changes between any two commits, such as:

  • During the creation of a pull request,
  • When comparing two branches, tags, or specific commits, and
  • When viewing the history of a package manifest.

GIF of dependency review on commit diff

Learn more about reviewing dependency changes in pull requests.

See more

Dependabot private registry support public beta

Dependabot can now access dependencies from authenticated private registries, such as GitHub Packages, Azure Artifacts, and Artifactory. These private registries are similar to their public equivalents, but they require authentication and are only available to members of your team or company. With this release, Dependabot version updates can help keep inner source as up-to-date as open source.

To enable this feature, add a registries section to your dependabot.yml, reference your new registries in the relevant updates, and add any secrets to Dependabot’s secret store. For example, here’s how to use GitHub Packages with Dependabot:

registries:
  npm-ghp-octocat:
    type: npm-registry
    url: https://npm.pkg.github.com
    token: ${{secrets.GITHUB_PERSONAL_ACCESS_TOKEN}} # make sure to store this in your Dependabot secrets!

updates:
    package-ecosystem: npm
    directory: "/"
    registries: 
      - npm-ghp-octocat
    schedule:
      interval: daily

This complements your ability to give Dependabot version updates access to private repositories, which is common for ecosystems like go modules and npm.

Learn more about Dependabot version updates

To see what’s next for Dependabot, visit the public roadmap

See more