Skip to content

dependabot-core is now open source with an MIT license

We’re excited to announce that the dependabot-core project is being relicensed under the MIT License, making it easier for the community to contribute to Dependabot.

Keeping dependencies updated is a crucial part of securing your software supply chain, and Dependabot has been helping GitHub users do this since 2019. It’s used by millions of developers each month to keep their dependencies up-to-date and free of known security vulnerabilities. We don’t charge anyone to use Dependabot, because we think everyone should be able to use open source without fear of vulnerabilities.

dependabot-core is the component of Dependabot that defines the logic to create pull requests for dependency updates across the 20+ languages and package managers it supports today. The update logic in dependabot-core is tightly integrated with the rest of GitHub’s Dependabot features, such as grouped updates and auto-triage rules, and contributions from collaborators have helped with its support of Swift and improvements to NuGet. By adopting the MIT license, we will simplify the process for members of the community to contribute to Dependabot and innovate together.

Dependabot-core was previously available under the Prosperity Public License 2.0, and has received contributions from more than 300 developers over the past few years. Now, the MIT license will make it easier than ever for members of the community to join our cause to improve the security of all the world’s software. If you’d like to learn more about contributing to dependabot-core, please check out the repository, and drop us an issue or pull request!

GitHub Copilot Metrics Updates

We’ve updated how we calculate Last Activity to give you better clarity and are pausing access to the Team endpoint in the Metrics API.

Updating the Last Activity calculation

Ahead of the GitHub Copilot Metrics API launch, we made an update to how we calculate Last Activity in order to provide more useful information for admins. Previously, this data point indicated the last time a user generated a Copilot authentication token, which happened automatically if the user’s editor was active. This did not mean the user was engaging with Copilot but rather, the extension was ensuring it could provide completions or chat access if needed.

To align this data point with actual usage, we updated our system to grab the most recent instance where the user deliberately engaged with the Copilot system. These actions include but are not limited to:
– Code completion suggestions show
– Chatting with Copilot Chat in IDEs
– Creating or updating a knowledge base
– Creating a pull request summary
– Interacting with Copilot on GitHub.com

As part of this update, we also needed to perform system cleanup on the vast amount of previous token generated events that were no longer relevant to providing this data point. Some data was erroneously removed but has since been restored.

The Last Activity date should be consistent across the CSV generated via Get Report in Copilot Access settings as well as through the Seats Management API.

Pausing access to Team slicing in the GitHub Copilot Metrics API.

Based on trends in feedback, the product team has learned that the Teams route of the Metrics API returns data that is not meeting the goals of our intended customer experience. In light, they have made the decision to temporarily pull the Teams route from production as of May 9th, 2024. During this time, the team will implement a collection of fixes intended to improve end users’ data experience and plan to re-enable the route by the end of June, at latest.

We understand this may be disappointing but the team is working to restore access as soon as possible. You can provide feedback and follow along for updates via this Discussion.

See more

Security alerts tool trends on the security overview dashboard

The new Tool group-by option on the security overview trends graph provides a visualization of alert trends, organized by the security tools that detected each vulnerability. It’s designed to improve your ability to track and analyze the effectiveness of your scanning tools, enabling more strategic decision-making.

Example of the alert trends chart grouped by security tool

With this new functionality, you can:
* Pinpoint which tools are detecting the most critical vulnerabilities.
* Monitor the performance of your scanners over time.
* Prioritize your remediation efforts based on detailed insights.

To access this feature, navigate to the Security tab at the organization level on GitHub, and choose the Tool option in the Group by dropdown.

This functionality is now available as a public beta on GitHub Enterprise Cloud and will be available in GitHub Enterprise Server 3.14.

Learn more about the security overview dashboard for your organization and send us your feedback

See more
View all changes