Search results for: Ecosystem

Security vulnerabilities can be unpleasant to address, and that only gets worse the more you have. When you’re dealing with a large volume of vulnerabilities, you need to be able…

Dependabot version updates now support npm v7. Note that npm v7 uses the new lockfile format (“lockfileVersion”: 2). Dependabot will now respect this new format if you have installed with…

Not everyone takes a break over the festive season. Some people in the community have been busy shipping releases. So we’re here to bring you the latest and greatest releases…

At GitHub, our community is at the heart of everything we do. We want to make it easier to build the things you love, with the tools you prefer to…

After much anticipation, the npm CLI version 7 is now generally available!

Dependabot version updates now support pip-compile 5.5.0. Note that with the version update of pip-compile from 5.4.0 to 5.5.0, the formatting of “via” annotations has changed to one dependency per…

We’ve made huge advances in our security features at GitHub in 2020, with launches for code scanning, secret scanning, Dependabot version updates, dependency review, and more.

GitHub’s engineering group moved from a monolithic, hero-based on-call rotation to a more balanced on-call culture in order to increase our on-call expertise and improve the experience for our customers.

In celebrating GitHub Security Lab’s one-year anniversary, we explained that we’re expanding our research focus. Why did we make this decision? The decision stemmed from our work with the Open…

Today, GitHub joined an amicus brief in NSO v. WhatsApp, opposing the expansion of foreign sovereign immunity to private cyber-surveillance companies that act on behalf of foreign governments. GitHub joined…

This is the second post in a series about how we built our new homepage. How our globe is built How we collect and use the data behind the globe…

Dependabot version updates now support Kotlin manifest files like .gradle.kts (gradle) PHP using the latest composer v2 (composer) These are possible thanks to community contributions to Dependabot. If you’d like…

Last year at GitHub Universe, we introduced the GitHub Security Lab, which is committed to contributing resources, tooling, bounties, and security research to secure the open source ecosystem. We know…

Dependency review allows you to easily understand your dependencies before you introduce them to your environment. As part of a pull request, you can see what dependencies you’re introducing, changing, or removing, and information about their vulnerabilities, age, usage, and license.

Aimed at developers, in this series we introduce and explore the memory unsafe attack surface of interpreted languages.

To best apply DevSecOps principles to improve the security of your supply chain, you should ask your developers to declare your dependencies in code; and in turn provide your developers with maintained ‘golden’ artifacts and automated downstream actions so they can focus on code.

Dependabot already updates your public dependencies, such as open source dependencies from a public GitHub repository, npm, Maven Central, or similar. Now, you can also update dependencies from private GitHub…

The Digital Millennium Copyright Act (DMCA) is a 22-year old United States law meant to strike a complicated balance between art, code, and speech on the net — impacting users…

You can now use the –api-key command line option for publishing NuGet packages. This change allows you to pass your authentication token directly instead of storing it in the nuget.config…

This is the second post in our series on DevOps fundamentals. For a guide to what DevOps is and answers to common DevOps myths check out part one. What role…

This article originally appeared in TechCrunch, and is republished here with permission. The Supreme Court heard arguments October 7 in Google v. Oracle. This case raises a fundamental question for…