Skip to content

/ Blog

Try GitHub Copilot Contact sales

AI & ML
- AI & ML
  Learn about artificial intelligence and machine learning across the GitHub ecosystem and the wider industry.
  - Generative AI
    Learn how to build with generative AI.
  - GitHub Copilot
    Change how you work with GitHub Copilot.
  - LLMs
    Everything developers need to know about LLMs.
  - Machine learning
    Machine learning tips, tricks, and best practices.
- How AI code generation works
  Explore the capabilities and benefits of AI code generation and how it can improve your developer experience.
  Learn more
Developer skills
- Developer skills
  Resources for developers to grow in their skills and careers.
  - Application development
    Insights and best practices for building apps.
  - Career growth
    Tips & tricks to grow as a professional developer.
  - GitHub
    Improve how you use GitHub at work.
  - GitHub Education
    Learn how to move into your first professional role.
  - Programming languages & frameworks
    Stay current on what’s new (or new again).
- Get started with GitHub documentation
  Learn how to start building, shipping, and maintaining software with GitHub.
  Learn more
Engineering
- Engineering
  Get an inside look at how we’re building the home for all developers.
  - Architecture & optimization
    Discover how we deliver a performant and highly available experience across the GitHub platform.
  - Engineering principles
    Explore best practices for building software at scale with a majority remote team.
  - Infrastructure
    Get a glimpse at the technology underlying the world’s leading AI-powered developer platform.
  - Platform security
    Learn how we build security into everything we do across the developer lifecycle.
  - User experience
    Find out what goes into making GitHub the home for all developers.
- How we use GitHub to be more productive, collaborative, and secure
  Our engineering and security teams do some incredible work. Let’s take a look at how we use GitHub to be more productive, build collaboratively, and shift security left.
  Learn more
Enterprise software
- Enterprise software
  Explore how to write, build, and deploy enterprise software at scale.
  - Automation
    Automating your way to faster and more secure ships.
  - CI/CD
    Guides on continuous integration and delivery.
  - Collaboration
    Tips, tools, and tricks to improve developer collaboration.
  - DevOps
    DevOps resources for enterprise engineering teams.
  - DevSecOps
    How to integrate security into the SDLC.
  - Governance & compliance
    Ensuring your builds stay clean.
  - Secure enterprise development
    Locking down the SDLC one step at time.
- How enterprise engineering teams can successfully adopt AI
  Learn how to bring AI to your engineering teams and maximize the value that you get from it.
  Learn more
News & insights
- News & insights
  Keep up with what’s new and notable from inside GitHub.
  - Company news
    An inside look at news and product updates from GitHub.
  - Product
    The latest on GitHub’s platform, products, and tools.
  - Octoverse
    Insights into the state of open source on GitHub.
  - Policy
    The latest policy and regulatory changes in software.
  - Research
    Data-driven insights around the developer ecosystem.
  - The library
    Older news and updates from GitHub.
- Unlocking the power of unstructured data with RAG
  Learn how to use retrieval-augmented generation (RAG) to capture more insights.
  Learn more
Open Source
- Open Source
  Everything open source on GitHub.
  - Git
    The latest Git updates.
  - Maintainers
    Spotlighting open source maintainers.
  - Social impact
    How open source is driving positive change.
  - Gaming
    Explore open source games on GitHub.
- An introduction to innersource
  Organizations worldwide are incorporating open source methodologies into the way they build and ship their own software.
  Learn more
Security
- Security
  Stay up to date on everything security.
  - Application security
    Application security, explained.
  - Supply chain security
    Demystifying supply chain security.
  - Vulnerability research
    Updates from the GitHub Security Lab.
  - Web application security
    Helpful tips on securing web applications.
- The enterprise guide to AI-powered DevSecOps
  Learn about core challenges in DevSecOps, and how you can start addressing them with AI and automation.
  Learn more

Categories

AI & ML
- AI & ML
  Learn about artificial intelligence and machine learning across the GitHub ecosystem and the wider industry.
  - Generative AI
    Learn how to build with generative AI.
  - GitHub Copilot
    Change how you work with GitHub Copilot.
  - LLMs
    Everything developers need to know about LLMs.
  - Machine learning
    Machine learning tips, tricks, and best practices.
- How AI code generation works
  Explore the capabilities and benefits of AI code generation and how it can improve your developer experience.
  Learn more
Developer skills
- Developer skills
  Resources for developers to grow in their skills and careers.
  - Application development
    Insights and best practices for building apps.
  - Career growth
    Tips & tricks to grow as a professional developer.
  - GitHub
    Improve how you use GitHub at work.
  - GitHub Education
    Learn how to move into your first professional role.
  - Programming languages & frameworks
    Stay current on what’s new (or new again).
- Get started with GitHub documentation
  Learn how to start building, shipping, and maintaining software with GitHub.
  Learn more
Engineering
- Engineering
  Get an inside look at how we’re building the home for all developers.
  - Architecture & optimization
    Discover how we deliver a performant and highly available experience across the GitHub platform.
  - Engineering principles
    Explore best practices for building software at scale with a majority remote team.
  - Infrastructure
    Get a glimpse at the technology underlying the world’s leading AI-powered developer platform.
  - Platform security
    Learn how we build security into everything we do across the developer lifecycle.
  - User experience
    Find out what goes into making GitHub the home for all developers.
- How we use GitHub to be more productive, collaborative, and secure
  Our engineering and security teams do some incredible work. Let’s take a look at how we use GitHub to be more productive, build collaboratively, and shift security left.
  Learn more
Enterprise software
- Enterprise software
  Explore how to write, build, and deploy enterprise software at scale.
  - Automation
    Automating your way to faster and more secure ships.
  - CI/CD
    Guides on continuous integration and delivery.
  - Collaboration
    Tips, tools, and tricks to improve developer collaboration.
  - DevOps
    DevOps resources for enterprise engineering teams.
  - DevSecOps
    How to integrate security into the SDLC.
  - Governance & compliance
    Ensuring your builds stay clean.
  - Secure enterprise development
    Locking down the SDLC one step at time.
- How enterprise engineering teams can successfully adopt AI
  Learn how to bring AI to your engineering teams and maximize the value that you get from it.
  Learn more
News & insights
- News & insights
  Keep up with what’s new and notable from inside GitHub.
  - Company news
    An inside look at news and product updates from GitHub.
  - Product
    The latest on GitHub’s platform, products, and tools.
  - Octoverse
    Insights into the state of open source on GitHub.
  - Policy
    The latest policy and regulatory changes in software.
  - Research
    Data-driven insights around the developer ecosystem.
  - The library
    Older news and updates from GitHub.
- Unlocking the power of unstructured data with RAG
  Learn how to use retrieval-augmented generation (RAG) to capture more insights.
  Learn more
Open Source
- Open Source
  Everything open source on GitHub.
  - Git
    The latest Git updates.
  - Maintainers
    Spotlighting open source maintainers.
  - Social impact
    How open source is driving positive change.
  - Gaming
    Explore open source games on GitHub.
- An introduction to innersource
  Organizations worldwide are incorporating open source methodologies into the way they build and ship their own software.
  Learn more
Security
- Security
  Stay up to date on everything security.
  - Application security
    Application security, explained.
  - Supply chain security
    Demystifying supply chain security.
  - Vulnerability research
    Updates from the GitHub Security Lab.
  - Web application security
    Helpful tips on securing web applications.
- The enterprise guide to AI-powered DevSecOps
  Learn about core challenges in DevSecOps, and how you can start addressing them with AI and automation.
  Learn more

Contact sales Try GitHub Copilot

dependency-graph

Subscribe to all “dependency-graph” posts via RSS or follow GitHub Changelog on Twitter to stay updated on everything we ship.

→ ~ cd github-changelog

→ ~/github-changelog|main git log main

showing all changes successfully

Deprecation of API endpoint to enable or disable a security feature for an organization

July 22, 2024

Code security configurations were made generally available on July 10th, 2024. This experience replaces our old settings experience and its API.

If you are currently using the REST API endpoint to enable or disable a security feature for an organization, this endpoint is now considered deprecated.

It will continue to work for an additional year in the current version of the REST API before being removed in July of 2025. However, users should note this will conflict with the settings assigned in code security configurations if the configuration is unenforced. This may result in a code security configuration being unintentionally removed from a repository.

The endpoint will be removed entirely in the next version of the REST API.

To change the security settings for repositories, you can use the code security configurations UI, the configurations API, or the unaffected enterprise-level security settings.

Send us your feedback!.

See more See more

Code security configurations are supported in the audit log

July 19, 2024

GitHub Enterprise Cloud customers can now see code security configurations data in audit log events.

Code security configurations simplify the rollout of GitHub security products at scale by defining collections of security settings and helping you apply those settings to groups of repositories. Configurations help you change the settings for important features like code scanning, secret scanning, and Dependabot.

With the addition of configurations data in the audit log, organization and enterprise owners have easy visibility into why the settings on certain repositories may have changed.

Audit log events now include:
– Name of the configuration applied to a repository
– When the configuration application fails
– When a configuration is removed from a repository
– When configurations are created, updated, or deleted
– When configurations become enforced
– When the default configuration for new repositories changes

Code security configurations are now available in public beta on GitHub.com and will be available in GitHub Enterprise Server 3.15. You can learn more about code security configurations or send us your feedback.

See more See more

Code security configurations API now includes validity checks, enforcement, and removal

July 17, 2024

The REST API now supports the following code security configuration actions for organizations:
– Detach configurations from repositories
– Enforce configurations
– Enable validity checks for secret scanning in a configuration

The API is now available on GitHub Enterprise Cloud and will be available in GitHub Enterprise Server 3.15.0. You can learn more about security configurations, the REST API, or send us your feedback.

See more See more

Code security configurations are now GA

July 10, 2024

Code security configurations are now generally available (GA)!

Code security configurations simplify the rollout of GitHub security products at scale. They help you define collections of security settings and apply them across groups of repositories.

Since the beta release on April 2, 2024, we’ve launched several improvements, including configuration enforcement and an API.

We have sunset the old organization-level code security settings UI experience along with the API parameters that complemented it.

All new changes to security settings must happen through the new code security configurations expereince. Organizations that were previously opted out of the experience have been opted back in. All default settings for new repositories have been migrated to a configuration called “Legacy” and automatically applied to new repos.

Learn more about code security configurations, the configurations REST API, or send us your feedback.

See more See more

Sunsetting security settings default parameters in the organization REST APIs

July 9, 2024

Code security configurations will be made generally available (GA) on July 10th, 2024. At that point, we will sunset the organization-level code security settings UI experience along with the API parameters that complemented it.

If you are currently using the Update an organization REST API endpoint to set default security settings for new repositories, or the Get an organization REST API endpoint to retrieve current defaults for security settings on new repositories, those parameters will now be ignored. The parameters will be removed entirely in the next version of the REST API.

Your previous default settings in your organization have been saved to a code security configuration called “Legacy” and will continue to apply. To change the default security settings for new repositories, use the code security configurations UI, the configurations API, or the unaffected enterprise-level security settings.

Learn more about code security configurations, the configurations REST API, or send us your feedback.

See more See more

SBOMs now include copyright attribution data

June 27, 2024

GitHub users can create software bill of material (SBOM) files for their repositories to help them understand its dependencies. SBOMs are a machine-readable inventory of a project’s dependencies and associated information. With this release, we have added copyright attribution data for dependencies in the SBOM.

Learn more about SBOM files and how GitHub helps you secure your software supply chain.

See more See more

Manage code security configurations via API

June 20, 2024

You can now use the REST API to create and manage code security configurations, as well as attach them to repositories at scale.

The API supports the following code security configuration actions for organizations:
– Create, get, update, and delete configurations
– Set and retrieve default configurations
– List all configurations
– Attach configurations to repositories

The API is now available as a public beta on GitHub Enterprise Cloud and will be available in GitHub Enterprise Server 3.15.0. You can learn more about security configurations, the REST API, or send us your feedback.

See more See more

Generated SBOM files will now include a package URL when a manifest file includes a range

June 11, 2024

Until this release, when a manifest file included a version range of a package (e.g. version < 3), when GitHub generated an SBOM for that package, it would not include a package URL (purl). We have improved SBOM generation so that now, when a manifest file references a package in a range, we will include the purl, but not the version field, which is an optional element in the specification. This will result in more complete data than we'd previously generated in the SBOM, helping users more clearly identify the packages being used in their repository.

See more See more

Code security configurations can now be enforced

June 6, 2024

Configurations are collections of security settings that organization administrators and security managers can define to help roll out GitHub security products at scale.

Starting today, you can enforce configurations. This new feature allows you to prevent users at the repository level from changing the security features that have been enabled and disabled in the configuration attached to their repository.

You can mark a configuration as enforced or unenforced at the bottom of the configurations edit page under the policy section:
Configuration Enforcement

Security configurations are currently available in public beta on GitHub.com and will be available in GitHub Enterprise Server 3.15. You can learn more about security configurations or send us your feedback.

See more See more

Code security configurations let organizations easily roll out GitHub security products at scale

April 2, 2024

Code security configurations simplify the rollout of GitHub security products at scale by defining collections of security settings that can be applied to groups of repositories. Your organization can apply the ‘GitHub recommended’ security configuration, which applies GitHub’s suggested settings for Dependabot, secret scanning, and code scanning. Alternatively, you can instead create your own custom security configurations. For example, an organization could create a ‘High risk’ security configuration for production repositories, and a ‘Minimum protection’ security configuration for internal repositories. This lets you manage security settings based on different risk profiles and security needs. Your organization can also set a default security configuration which is automatically applied to new repositories, avoiding any gaps in your coverage.

With security configurations, you can also see the additional number of GitHub Advanced Security (GHAS) licenses that are required to apply a configuration, or made available by disabling GHAS features on selected repositories. This lets you understand license usage when you roll out GitHub’s code security features in your organization.

Security configurations are now available in public beta on GitHub.com, and will be available in GitHub Enterprise Server 3.15. You can learn more about security configurations or send us your feedback.

See more See more

OpenSSF Scorecard info is now available in the Dependency Review Action

March 20, 2024

Dependency review helps you understand dependency changes and the security impact of these changes at every pull request. We have updated the dependency review action to include information from the OpenSSF Scorecard project into the review, helping you better understand the security posture of the dependencies that you’re using.

See more See more

Gradle starter workflows now automatically submit transitive dependencies

February 1, 2024

If you’re using starter workflows to prepare the build and release steps for your Java projects that use Gradle, these projects will now have more comprehensive dependency graph information in GitHub. The Gradle starter workflows have been updated to automatically submit transitive dependencies to GitHub, improving the quality of dependency graph data and Dependabot updates for these apps.

Learn more about the action these starter workflows use by checking out the Build with Gradle action on the GitHub Marketplace. Thank you Gradle for making these updates!

Join the discussion within GitHub Community.

See more See more

Dependency review support for dependency submission results

September 8, 2023

Dependency review now works with your dependencies from the dependency submission API. Dependency review enforces policies around vulnerabilities and acceptable licenses in the pull request. Previously, dependency review could not be used with another feature of the dependency graph called the dependency submission API. The dependency submission API helps developers get a more accurate set of transitive dependencies, particularly for complex ecosystems like Gradle or Scala which require a build to resolve all transitive dependencies.

To take advantage of this improvement, update to the latest version of the dependency review action, or follow the instructions in our documentation.

For more information, see our documentation about dependency review, the dependency submission API, and some best practices for using dependency review and the dependency submission API together.

See more See more

pnpm Support for Dependency Graph, Dependabot Alerts, and Dependabot Security Updates

August 2, 2023

pnpm is now fully supported by dependency graph, Dependabot alerts, and Dependabot security updates! If you manage your Node.js dependencies with the pnpm package manager, you can now receive and fix alerts about security vulnerabilities in those dependencies. To use this, enable Dependabot Security Updates from the repository settings page on the code security and analysis tab.

To read more about how to use Dependabot and dependency graph, you can read our documentation here

See more See more

New license information for 17.5 million packages

July 10, 2023

We have added over 17.5 million new package licenses to our database, expanding the license coverage for packages that appear in dependency graph, dependency insights, dependency review, and a repository's software bill of materials (SBOM). Package licenses dictate how a package can be used, making them an essential aspect of compliance when working with open source software.

These licenses are sourced from ClearlyDefined, a curated data store for open source licenses.

See more See more

View more changes