GitHub now sends Dependabot alerts for vulnerable Actions

GitHub has announced that it will begin sending Dependabot alerts when it detects vulnerable GitHub Actions.

GitHub Actions makes it easy for developers to automate their workflows. Dependabot, meanwhile, automatically updates dependencies to keep your projects secure.

When an Action vulnerability is discovered, GitHub’s team of security researchers will create an advisory to document it. Following the creation of an advisory, Dependabot alerts will be sent to impacted...

SFC urges developers to quit GitHub

The SFC (Software Freedom Conservancy) has quit GitHub and urges other developers to follow.

SFC is a non-profit that aims to provide a home and services to Free, Libre, and Open Source Software (FLOSS) projects.

On Thursday, the SFC posted a blog post criticising the dominant role that GitHub has established in FOSS development.

In the post, Bradley Kuhn, SFC policy fellow, and Denver Gingerich, SFC FOSS license compliance engineer, highlighted the dangers of...

GitHub will mandate 2FA to help secure the software supply chain

GitHub will require all users who contribute code on the platform to use 2FA as part of its latest security improvements.

Attacks on the software supply chain are on the increase. GitHub, which has over 83 million code-contributing users, is stepping up to the plate to protect developers and the software supply chain with this major policy change announcement.

“At GitHub, we believe that our unique position as the home for all developers grants us both an opportunity...

GitHub notifies victims of OAuth token theft

GitHub is notifying known victims of an ongoing attack using stolen third-party OAuth user tokens.

OAuth user tokens maintained by Heroku and Travis CI were stolen and abused by an unauthorised party to download data from dozens of organisations, including npm.

Mike Hanley, Chief Security Officer at GitHub, wrote in a blog post:

“We have high confidence that compromised OAuth user tokens from Heroku and Travis-CI-maintained OAuth applications were stolen and...

GitHub Advisory Database now accepts community contributions

GitHub is opening its Advisory Database to community contributions to help further secure software supply chains.

One vulnerability can have a devastating “domino effect” on software across the globe. With the use of open-source increasing, so does the threat of a vast amount of software being compromised.

GitHub launched its Advisory Database almost two years ago. As the largest database of vulnerabilities in software dependencies in the world, it’s become an...

GitHub’s Mermaid support enables developers to quickly create diagrams

GitHub has added native support for Mermaid—enabling developers to quickly generate diagrams.

According to GitHub, both open-source and enterprise developers see a productivity boost of around 50 percent when provided with detailed documentation. Rich, visual formats often help to better present information.

Last month, GitHub added support for .svg files to comments in issues, PRs, discussions, and Markdown files like READMEs. However, GitHub says that it recognises...

GitHub incentivises open-source investments with sponsor-only repos

GitHub is launching private repositories that only sponsors have access to, helping to incentivise open-source investments.

Open-source mostly relies on developers voluntarily giving up their time to build and improve projects. Priority is naturally given to work that helps to keep a roof over their heads and food on the table—meaning that open-source projects can be underdeveloped at best or be left with devastating vulnerabilities at worst.

A growing number of...

Open-source can play a critical role in tackling the UK’s developer shortage

It is no secret that developers have never been more in demand. According to a recent analysis, the shortage of “programmers and software development professionals” only ranks behind HGV drivers and nurses as the occupation where worker shortages are most acute in the UK.

The sheer pace of digital transformation across every industry means the demand for developer talent continues to outstrip supply at a rapid rate – and the situation shows no sign of abating. Just about...

Open-source developer corrupted his own popular libraries

An open-source developer intentionally corrupted his own libraries that have been used by thousands of projects.

Users of open-source projects that depend on the ‘colors’ and ‘faker’ libraries by Marak Squires were confronted with their applications indefinitely printing gibberish messages on their console—rendering them useless.

The colors library receives over 20 million weekly downloads on npm alone and has almost 19,000 projects depending on it. The faker...

GitHub launches preview of improved code search

GitHub is making significant improvements to its code searching experience and has launched a technology preview for an early peek.

The current search index covers more than five million of the most popular public repositories. In addition, developers can also search any private repositories they have access to.

GitHub recommends trying five search functions to see how they could improve your workflow:

Try a simple search and see how the smart ranking and...