GitHub has acquired Dependabot, a tool that helps developers avoid introducing security issues via bugs in open-source libraries.
Dependabot automates checks for out-of-date or insecure libraries on which a project depends, and generates pull requests to update them.
GitHub CEO Nat Friedman on stage at the Satellite event in Berlin
"More than 70 per cent of vulnerabilities are unpatched after a month," said Shanku Niyogi, GitHub SVP Product, speaking at Satellite. Dependabot integration is intended to improve this.
New dependency insight panel in GitHub Enterprise
The company also announced GitHub Sponsors (currently in beta), a scheme where anyone can contribute funds to an open-source project. The Microsoft subsidiary will cover payment fees and match funding up to $5,000 during a developer's first year.
The web-based hosting service has also enhanced its Enterprise product, which can run either in GitHub's cloud or elsewhere, including on premises. A new security dashboard called Dependency Insights analyses vulnerabilities in – you guessed it – a project's dependencies.
There are also two new user roles. Triage users can manage issues but not write to a repository. Maintain users can manage issues and some settings but without full admin rights.
New user roles in Github Enterprise
NPM today stands for Now Paging Microsoft: GitHub just launched its own software registryREAD MORE
A new setting for repository visibility, called Internal, sits between Public and Private and sets visibility to developers only.
Git Data Encryption now encrypts Git data, and wikis at rest as well as in transit.
Is GitHub bleeding developers to GitLab and other alternatives, following its acquisition by Microsoft in October 2018? While there has been some movement, GitHub claimed to be adding around three million repositories every month with 48 per cent growth since a year ago. Organisation accounts are 41 per cent up over the same period, and there are now 36 million users in total. ®