FEED Validator

for Atom and RSS and KML

Congratulations!

This is a valid RSS feed.

Recommendations

This feed is valid, but interoperability with the widest range of feed readers could be improved by implementing the following recommendations.

line 30, column 0: Use of unknown namespace: com-wordpress:feed-additions:1 (11 occurrences) [help]
```
<site xmlns="com-wordpress:feed-additions:1">153214340</site>	<item>
```
line 48, column 0: content:encoded should not contain html tag (10 occurrences) [help]
```
<html><body><p><a href="https://sourceforge.net/projects/djvu/">DjVuLibre</a ...
```
line 48, column 0: content:encoded should not contain body tag (10 occurrences) [help]
```
<html><body><p><a href="https://sourceforge.net/projects/djvu/">DjVuLibre</a ...
```
line 65, column 0: content:encoded should not contain iframe tag (7 occurrences) [help]
```
<iframe title="CVE-2025-53367: Exploitable OOB write in DjVuLibre" width="50 ...
```
line 228, column 0: content:encoded should not contain data-color-mode attribute (5 occurrences) [help]
```
<aside data-color-mode="light" data-dark-theme="dark" data-light-theme="ligh ...
```
line 228, column 0: content:encoded should not contain data-dark-theme attribute (5 occurrences) [help]
```
<aside data-color-mode="light" data-dark-theme="dark" data-light-theme="ligh ...
```
line 228, column 0: content:encoded should not contain data-light-theme attribute (5 occurrences) [help]
```
<aside data-color-mode="light" data-dark-theme="dark" data-light-theme="ligh ...
```
line 1185, column 0: content:encoded should not contain data-recalc-dims attribute (14 occurrences) [help]
```
<figure class="wp-block-image size-large"><img data-recalc-dims="1" loading= ...
```
line 1185, column 0: content:encoded should not contain loading attribute (14 occurrences) [help]
```
<figure class="wp-block-image size-large"><img data-recalc-dims="1" loading= ...
```
line 1185, column 0: content:encoded should not contain decoding attribute (14 occurrences) [help]
```
<figure class="wp-block-image size-large"><img data-recalc-dims="1" loading= ...
```
line 1185, column 0: content:encoded should not contain sizes attribute (14 occurrences) [help]
```
<figure class="wp-block-image size-large"><img data-recalc-dims="1" loading= ...
```
line 1646, column 0: content:encoded should not contain controls attribute (2 occurrences) [help]
```
<figure class="wp-block-video"><video controls poster="https://github.blog/w ...
```
line 1646, column 0: content:encoded should not contain poster attribute (2 occurrences) [help]
```
<figure class="wp-block-video"><video controls poster="https://github.blog/w ...
```
line 2762, column 3: content:encoded should not contain relative URL references: #footnote (2 occurrences) [help]
```
]]></content:encoded>
   ^
```

Source: https://github.blog/feed/

<?xml version="1.0" encoding="UTF-8"?><rss version="2.0"
xmlns:content="http://purl.org/rss/1.0/modules/content/"
xmlns:wfw="http://wellformedweb.org/CommentAPI/"
xmlns:dc="http://purl.org/dc/elements/1.1/"
xmlns:atom="http://www.w3.org/2005/Atom"
xmlns:sy="http://purl.org/rss/1.0/modules/syndication/"
xmlns:slash="http://purl.org/rss/1.0/modules/slash/"
>
<channel>
<title>The GitHub Blog</title>
<atom:link href="https://github.blog/feed/" rel="self" type="application/rss+xml" />
<link>https://github.blog/</link>
<description>Updates, ideas, and inspiration from GitHub to help developers build and design software.</description>
<lastBuildDate>Thu, 03 Jul 2025 20:52:21 +0000</lastBuildDate>
<language>en-US</language>
<sy:updatePeriod>
hourly </sy:updatePeriod>
<sy:updateFrequency>
1 </sy:updateFrequency>
<generator>https://wordpress.org/?v=6.8.1</generator>
<image>
<url>https://github.blog/wp-content/uploads/2019/01/cropped-github-favicon-512.png?fit=32%2C32</url>
<title>The GitHub Blog</title>
<link>https://github.blog/</link>
<width>32</width>
<height>32</height>
</image>
<site xmlns="com-wordpress:feed-additions:1">153214340</site> <item>
<title>CVE-2025-53367: An exploitable out-of-bounds write in DjVuLibre</title>
<link>https://github.blog/security/vulnerability-research/cve-2025-53367-an-exploitable-out-of-bounds-write-in-djvulibre/</link>
<dc:creator><![CDATA[Kevin Backhouse]]></dc:creator>
<pubDate>Thu, 03 Jul 2025 20:52:20 +0000</pubDate>
<category><![CDATA[Security]]></category>
<category><![CDATA[Vulnerability research]]></category>
<category><![CDATA[CVE]]></category>
<category><![CDATA[GitHub Security Lab]]></category>
<category><![CDATA[linux]]></category>
<category><![CDATA[open source]]></category>
<guid isPermaLink="false">https://github.blog/?p=89368</guid>
<description><![CDATA[<p>DjVuLibre has a vulnerability that could enable an attacker to gain code execution on a Linux Desktop system when the user tries to open a crafted document.</p>
<p>The post <a href="https://github.blog/security/vulnerability-research/cve-2025-53367-an-exploitable-out-of-bounds-write-in-djvulibre/">CVE-2025-53367: An exploitable out-of-bounds write in DjVuLibre</a> appeared first on <a href="https://github.blog">The GitHub Blog</a>.</p>
]]></description>
<content:encoded><![CDATA[<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">
<html><body><p><a href="https://sourceforge.net/projects/djvu/">DjVuLibre</a> version 3.5.29 was released today. It fixes CVE-2025-53367 (GHSL-2025-055), an out-of-bounds (OOB) write in the <a href="https://sourceforge.net/p/djvu/djvulibre-git/ci/42029c33b2fb25bc1fa98c80b2be83a2fa23cce1/tree/libdjvu/MMRDecoder.cpp#l570"><code>MMRDecoder::scanruns</code></a> method. The vulnerability could be exploited to gain code execution on a Linux Desktop system when the user tries to open a crafted document.</p>
<p>DjVu is a document file format that can be used for similar purposes to PDF. It is supported by <a href="https://gitlab.gnome.org/GNOME/evince">Evince</a> and <a href="https://gitlab.gnome.org/GNOME/papers">Papers</a>, the default document viewers on many Linux distributions. In fact, even when a DjVu file is given a filename with a .pdf extension, Evince/Papers will automatically detect that it is a DjVu document and run DjVuLibre to decode it.</p>
<p>Antonio found this vulnerability while researching the Evince document reader. He found the bug with fuzzing.</p>
<p>Kev has developed a proof of concept exploit for the vulnerability, as demoed in this video.</p>
<figure class="wp-block-embed is-type-video is-provider-youtube wp-block-embed-youtube wp-embed-aspect-16-9 wp-has-aspect-ratio"><div class="wp-block-embed__wrapper">
<iframe title="CVE-2025-53367: Exploitable OOB write in DjVuLibre" width="500" height="281" src="https://www.youtube.com/embed/32kROHYhYVM?feature=oembed" frameborder="0" allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share" referrerpolicy="strict-origin-when-cross-origin" allowfullscreen></iframe>
</div></figure>
<p>The POC works on a fully up-to-date Ubuntu 25.04 (x86_64) with all the standard security protections enabled. To explain what’s happening in the video:</p>
<ol class="wp-block-list">
<li>Kev clicks on a malicious DjVu document in his <code>~/Downloads</code> directory.</li>
<li>The file is named <code>poc.pdf</code>, but it’s actually in DjVu format.</li>
<li>The default document viewer (<code>/usr/bin/papers</code>) loads the document, detects that it’s in DjVu format, and uses DjVuLibre to decode it.</li>
<li>The file exploits the OOB write vulnerability and triggers a call to <code>system("google-chrome https://www.youtube.com/…")</code>.</li>
<li>Rick Astley appears.</li>
</ol>
<p>Although the POC is able to bypass <a href="https://en.wikipedia.org/wiki/Address_space_layout_randomization">ASLR</a>, it’s somewhat unreliable: it’ll work 10 times in a row and then suddenly stop working for several minutes. But this is only a first version, and we believe it’s possible to create an exploit that’s significantly more reliable.</p>
<p>You may be wondering: why Astley, and not a calculator? That’s because <code>/usr/bin/papers</code> runs under an <a href="https://apparmor.net/">AppArmor</a> profile. The profile prohibits you from starting an arbitrary process but makes an exception for google-chrome. So it was easier to play a YouTube video than pop a calc. But the AppArmor profile is not particularly restrictive. For example, it lets you write arbitrary files to the user’s home directory, except for the really obvious one like <code>~/.bashrc</code>. So it wouldn’t prevent a determined attacker from gaining code execution.</p>
<h1 class="wp-block-heading" id="h-vulnerability-details">Vulnerability Details</h1>
<p>The <a href="https://sourceforge.net/p/djvu/djvulibre-git/ci/42029c33b2fb25bc1fa98c80b2be83a2fa23cce1/tree/libdjvu/MMRDecoder.cpp#l570"><code>MMRDecoder::scanruns</code></a> method is affected by an OOB-write vulnerability, because it doesn’t check that the <code>xr</code> pointer stays within the bounds of the allocated buffer.</p>
<p>During the decoding process, run-length encoded data is written into two buffers: <a href="https://sourceforge.net/p/djvu/djvulibre-git/ci/42029c33b2fb25bc1fa98c80b2be83a2fa23cce1/tree/libdjvu/MMRDecoder.h#l207"><code>lineruns</code></a> and <a href="https://sourceforge.net/p/djvu/djvulibre-git/ci/42029c33b2fb25bc1fa98c80b2be83a2fa23cce1/tree/libdjvu/MMRDecoder.h#l209"><code>prevruns</code></a>:</p>
<pre class="wp-block-code"><code>//libdjvu/MMRDecoder.h
class DJVUAPI MMRDecoder : public GPEnabled
{
...
public:
unsigned short *lineruns;
...
unsigned short *prevruns;
...
}</code></pre>
<p>The variables named <a href="https://sourceforge.net/p/djvu/djvulibre-git/ci/42029c33b2fb25bc1fa98c80b2be83a2fa23cce1/tree/libdjvu/MMRDecoder.cpp#l583"><code>pr</code></a> and <a href="https://sourceforge.net/p/djvu/djvulibre-git/ci/42029c33b2fb25bc1fa98c80b2be83a2fa23cce1/tree/libdjvu/MMRDecoder.cpp#l584"><code>xr</code></a> point to the current locations in those buffers. </p>
<p><code>scanruns</code> does not check that those pointers remain within the bounds of the allocated buffers.</p>
<pre class="wp-block-code"><code>//libdjvu/MMRDecoder.cpp
const unsigned short *
MMRDecoder::scanruns(const unsigned short **endptr)
{
...
// Swap run buffers
unsigned short *pr = lineruns;
unsigned short *xr = prevruns;
prevruns = pr;
lineruns = xr;
...
for(a0=0,rle=0,b1=*pr++;a0 < width;)
{
...
*xr = rle; xr++; rle = 0;
...
*xr = rle; xr++; rle = 0;
...
*xr = inc+rle-a0;
xr++;
}</code></pre>
<p>This can lead to writes beyond the allocated memory, resulting in a heap corruption condition. An out-of-bounds read with <code>pr</code> is also possible for the same reason.</p>
<p>We will publish the source code of our proof of concept exploit in a couple of weeks’ time in the <a href="https://github.com/github/securitylab">GitHub Security Lab repository</a>.</p>
<h1 class="wp-block-heading" id="h-acknowledgements">Acknowledgements</h1>
<p>We would like to thank Léon Bottou and Bill Riemers for responding incredibly quickly and releasing a fix less than two days after we first contacted them!</p>
<h1 class="wp-block-heading" id="h-timeline">Timeline</h1>
<ul class="wp-block-list">
<li>2025-07-01: Reported via email to the authors: Léon Bottou, Bill Riemers, Yann LeCun.</li>
<li>2025-07-01: Responses received from Bill Riemers and Léon Bottou.</li>
<li>2025-07-02: Fix commit added by Léon Bottou: <a href="https://sourceforge.net/p/djvu/djvulibre-git/ci/33f645196593d70bd5e37f55b63886c31c82c3da/">https://sourceforge.net/p/djvu/djvulibre-git/ci/33f645196593d70bd5e37f55b63886c31c82c3da/</a></li>
<li>2025-07-03: DjVuLibre version 3.5.29 released: <a href="https://sourceforge.net/p/djvu/www-git/ci/9748b43794440aff40bae066132aa5c22e7fd6a3/">https://sourceforge.net/p/djvu/www-git/ci/9748b43794440aff40bae066132aa5c22e7fd6a3/</a> </li>
</ul>
</body></html>
<p>The post <a href="https://github.blog/security/vulnerability-research/cve-2025-53367-an-exploitable-out-of-bounds-write-in-djvulibre/">CVE-2025-53367: An exploitable out-of-bounds write in DjVuLibre</a> appeared first on <a href="https://github.blog">The GitHub Blog</a>.</p>
]]></content:encoded>
<post-id xmlns="com-wordpress:feed-additions:1">89368</post-id> </item>
<item>
<title>5 ways to transform your workflow using GitHub Copilot and MCP</title>
<link>https://github.blog/ai-and-ml/github-copilot/5-ways-to-transform-your-workflow-using-github-copilot-and-mcp/</link>
<dc:creator><![CDATA[Klint Finley]]></dc:creator>
<pubDate>Wed, 02 Jul 2025 17:44:02 +0000</pubDate>
<category><![CDATA[AI & ML]]></category>
<category><![CDATA[GitHub Copilot]]></category>
<category><![CDATA[agent mode]]></category>
<category><![CDATA[MCP]]></category>
<guid isPermaLink="false">https://github.blog/?p=89268</guid>
<description><![CDATA[<p>Learn how to streamline your development workflow with five different MCP use cases. </p>
<p>The post <a href="https://github.blog/ai-and-ml/github-copilot/5-ways-to-transform-your-workflow-using-github-copilot-and-mcp/">5 ways to transform your workflow using GitHub Copilot and MCP</a> appeared first on <a href="https://github.blog">The GitHub Blog</a>.</p>
]]></description>
<content:encoded><![CDATA[<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">
<html><body><p>Traditional AI coding assistants typically operate in isolation, limited to the code in your current workspace. Now with the introduction of the Model Context Protocol (MCP), AI development workflows are further evolving to incorporate more tools and context. </p>
<p>MCP can enable AI assistants to interact with external systems like knowledge bases, data stores, and testing applications.</p>
<aside data-color-mode="light" data-dark-theme="dark" data-light-theme="light_dimmed" class="wp-block-group post-aside--large p-4 p-md-6 is-style-light-dimmed has-global-padding is-layout-constrained wp-block-group-is-layout-constrained is-style-light-dimmed--1" style="border-top-width:4px">
<h3 class="wp-block-heading h5-mktg gh-aside-title is-typography-preset-h5" id="h-what-is-mcp-anyway" style="margin-top:0">What is MCP, anyway?</h3>
<p>The Model Context Protocol (MCP) is an open standard developed by Anthropic that helps AI assistants like GitHub Copilot securely connect to external data sources and tools. MCP addresses a common challenge with Large Language Models (LLMs): providing the right context to generate accurate and useful responses. MCP standardizes how AI tools access external context—such as your codebase, documentation, or design specifications—and makes it easier to bring this context into your development workflow. For a deeper dive into MCP and why it’s gaining popularity, check out <a href="https://github.blog/ai-and-ml/llms/what-the-heck-is-mcp-and-why-is-everyone-talking-about-it/">Cassidy Williams’s article on the GitHub Blog</a>.</p>
</aside>
<p>The real value of MCP integration is that you can now perform tasks that previously required multiple tools, context switching, and manual effort—all directly in your IDE. That means you can save time, maintain focus, and ship code faster.</p>
<p>In this article, we’ll explore five practical ways MCP integrations with GitHub Copilot can streamline your workflow. We’ll follow a realistic scenario: implementing a secure JWT (JSON Web Token) authentication system for a web application, illustrating an end-to-end workflow with MCP.</p>
<p>Let’s jump in. </p>
<h2 class="wp-block-heading" id="1-using-mcp-to-bridge-design-and-development-with-figma">1. Using MCP to bridge design and development with Figma </h2>
<p>The gap between design and development has long been a source of friction in product teams. MCP provides a standardized way for GitHub Copilot to securely access and interpret design specifications directly. </p>
<p>Instead of manually translating design details into code, MCP enables Copilot to automatically retrieve exact design parameters—such as colors, spacing, typography, and component states—and generate accurate, ready-to-use code. This integration reduces guesswork and streamlines the handoff between designers and developers.</p>
<aside data-color-mode="light" data-dark-theme="dark" data-light-theme="light_dimmed" class="wp-block-group post-aside--large p-4 p-md-6 is-style-light-dimmed has-global-padding is-layout-constrained wp-block-group-is-layout-constrained is-style-light-dimmed--2" style="border-top-width:4px">
<h3 class="wp-block-heading h5-mktg gh-aside-title is-typography-preset-h5" id="h-explore-github-copilot-s-agentic-capabilities" style="margin-top:0">Explore GitHub Copilot’s agentic capabilities</h3>
<p>GitHub Copilot comes with two powerful agentic workflows that can be used with MCP:</p>
<ul class="wp-block-list">
<li><strong>Agent mode (in your IDE):</strong> Turn Copilot Chat into a real-time collaborator that works with you. Give it a goal (“add OAuth & tests”), and it plans, edits files, runs the suite, reads failures, fixes them, and loops until everything is green—all right in front of you, with the option to pause or steer at any step.</li>
<li><strong>Coding agent (in your GitHub projects)</strong>: Hand an Issue to Copilot and walk away. It spins up a protected workspace with GitHub Actions, writes code, runs linters/tests, and opens a pull request for you to review. Perfect for well-scoped tickets you’d give a junior dev (docs, tests, small refactors) while you stay focused elsewhere.<a href="https://github.blog/news-insights/product-news/github-copilot-meet-the-new-coding-agent/?utm_source=chatgpt.com"> </a></li>
</ul>
<p><strong>TL;DR: </strong>Think of Agent mode as a co-driver at your keyboard; the Coding agent is the valet that brings the finished work to your repo.</p>
<p><a href="https://github.blog/news-insights/product-news/from-pair-to-peer-programmer-our-vision-for-agentic-workflows-in-github-copilot/">Learn more ></a></p>
</aside>
<p>We’ll start developing our new JWT authentication system by taking a look at the user-facing side. Let’s say the design team updated the authentication UI components in Figma, including login forms, error states, loading spinners, and success messages. Now, you need to implement these changes to match the new design system.</p>
<p>Start by asking Copilot, “What are the latest design updates for the login form and authentication components?” It will then retrieve specs for the elements that need to change. Then you can prompt it to create React components for each element:</p>
<ul class="wp-block-list">
<li><code>LoginForm</code> with exact spacing, colors, typography</li>
<li><code>AuthErrorMessage</code> component with proper error styling</li>
<li><code>TokenRefreshNotification</code> component</li>
</ul>
<p>Copilot will then give you ready-to-use code that maintains consistency with the design specifications from Figma.</p>
<div class="wp-block-group post-content-cta has-global-padding is-layout-constrained wp-block-group-is-layout-constrained">
<p><strong><strong>Learn more </strong></strong>about <a href="https://help.figma.com/hc/en-us/articles/32132100833559-Guide-to-the-Dev-Mode-MCP-Server">Figma’s MCP server beta ></a></p>
</div>
<h2 class="wp-block-heading" id="2-tap-into-your-obsidian-knowledge-base-with-mcp">2. Tap into your Obsidian knowledge base with MCP</h2>
<p>When implementing complex features like JWT authentication, you often need to reference past decisions, architectural notes, and research findings scattered across your knowledge base. The unofficial, community-maintained Obsidian MCP server bridges this gap by connecting GitHub Copilot directly to your Obsidian vault.</p>
<p>Let’s say you’re implementing JWT token validation and need to understand your team’s previous security decisions. You tell Copilot: “Search for all files where JWT or token validation is mentioned and explain the context.”</p>
<p>With that, Copilot can:</p>
<ul class="wp-block-list">
<li>Search across all Markdown files in your vault for relevant security patterns</li>
<li>Retrieve contents from specific architecture decision records (ADR)</li>
<li>Access meeting notes from previous security reviews</li>
<li>Pull implementation guidelines from your team’s coding standards</li>
</ul>
<p>You might follow up with the following prompt: “Get the contents of the last architecture call note about authentication and summarize the key decisions.” Copilot will locate the relevant file and extract the critical information you need to inform your implementation approach.</p>
<p>Once you’ve gathered the necessary context, you can ask Copilot to synthesize this information: “Create a new note called ‘jwt-implementation-summary.md’ that combines our authentication standards with the new JWT approach.” Copilot will create this documentation directly in your vault, helping maintain your team’s knowledge base.</p>
<p><strong>Setup note</strong>: This integration requires the community “Obsidian Local REST API” plugin and an API key.</p>
<p>With your research complete and documented, you can proceed to test your application.</p>
<div class="wp-block-group post-content-cta has-global-padding is-layout-constrained wp-block-group-is-layout-constrained">
<p><strong>Learn more</strong> about <a href="https://github.com/MarkusPfundstein/mcp-obsidian">accessing Obsidian through MCP ></a></p>
</div>
<h2 class="wp-block-heading" id="3-test-your-code-with-playwright">3. Test your code with Playwright</h2>
<p>Integrating MCP with Playwright transforms test creation from a manual, error-prone process into a simple, guided experience.</p>
<p>Modern web applications often involve complex user journeys, asynchronous operations, and dynamic content. Authentication flows are particularly challenging to test comprehensively.</p>
<p>Continuing with our JWT authentication system, you need to test the complete authentication flow including login, token refresh, and secure route access. To do this, you’ll start by giving Copilot a prompt like this: “Test the JWT authentication flow including login, automatic token refresh, and access to protected routes.”</p>
<p>From there, Copilot will analyze your authentication implementation and generate comprehensive test coverage. But it doesn’t stop there. Copilot then runs the tests with Playwright and provides immediate feedback on failures, suggesting fixes for common issues, like timing problems or selector changes.</p>
<div class="wp-block-group post-content-cta has-global-padding is-layout-constrained wp-block-group-is-layout-constrained">
<p><strong>Learn more </strong>about the <a href="https://github.com/microsoft/playwright-mcp">Playwright MCP server ></a></p>
</div>
<h2 class="wp-block-heading" id="4-file-pull-requests-faster">4. File pull requests faster</h2>
<p>Pull requests are the cornerstone of collaborative development. GitHub’s remote MCP server, <a href="https://github.blog/changelog/2025-06-12-remote-github-mcp-server-is-now-available-in-public-preview/">now in public beta for VS Code or Visual Studio</a>, helps transform the process into an intelligent, automated workflow.</p>
<p>Turning back to our JWT authentication example, you can prompt Copilot: “Create a pull request for my authentication feature changes”</p>
<p>Copilot will then analyze:</p>
<ul class="wp-block-list">
<li>Code changes across multiple files  </li>
<li>Related issues and project context  </li>
<li>Team review patterns and expertise areas  </li>
<li>Previous similar implementations</li>
</ul>
<p>Copilot returns Markdown with an overview, changes made, a testing strategy, and even related issues.</p>
<p>It will then suggest appropriate reviewers for each aspect of the change based on code ownership, expertise mapping, and current workload.</p>
<p>Once your application is deployed, you can move on to monitoring it.</p>
<div class="wp-block-group post-content-cta has-global-padding is-layout-constrained wp-block-group-is-layout-constrained">
<p><strong>Get started</strong> with <a href="https://docs.github.com/en/copilot/tutorials/enhancing-copilot-agent-mode-with-mcp">GitHub’s MCP server ></a></p>
</div>
<h2 class="wp-block-heading" id="5-monitor-application-performance">5. Monitor application performance</h2>
<p>With the core authentication logic handled, now it’s time to ensure that our application performs well by monitoring how it behaves in production. Using MCP to connect to Grafana through the open-source Grafana MCP server makes this easier—though setup requires a few configuration steps.</p>
<p>Let’s say you need to analyze the JWT authentication system’s latency metrics and error rates. You tell Copilot: “Show me auth latency and error-rate panels for the auth-service dashboard for the last 6 hours.”</p>
<p>After configuring the Grafana MCP server with your API key and host URL, Copilot can then query your Grafana instance to:</p>
<ul class="wp-block-list">
<li>Examine authentication latency metrics and p95 response times</li>
<li>Analyze error rates for login endpoints over time</li>
<li>Review existing alert rules for authentication services</li>
<li>Identify patterns in failed authentication attempts</li>
</ul>
<p>Copilot returns panel data as base64-encoded images and can extract raw time-series data when needed. If you need a longer time range, you can specify: “Show me the same metrics for the last 24 hours” and Copilot will adjust the query parameters accordingly.</p>
<p>For more advanced monitoring workflows, you can enable write operations by launching the server with the <code>--enable-write</code> flag and an Editor-role API key. This allows Copilot to create new alert rules or modify dashboard configurations based on your authentication metrics analysis.</p>
<div class="wp-block-group post-content-cta has-global-padding is-layout-constrained wp-block-group-is-layout-constrained">
<p><strong>Learn more </strong>about the <a href="https://github.com/grafana/mcp-grafana">Grafana MCP server ></a></p>
</div>
<h2 class="wp-block-heading" id="whats-next">What’s next?</h2>
<p>Before diving into these powerful integrations, you’ll need to configure your development environment. Here’s how:</p>
<ol class="wp-block-list">
<li><strong>Install MCP extensions</strong>: Enable MCP support in your IDE through official extensions</li>
<li><strong>Configure API access</strong>: Set up authentication for each service (GitHub, Obsidian, Figma, etc.)</li>
<li><strong>Define context boundaries</strong>: Establish what information should be accessible to AI</li>
<li><strong>Security considerations</strong>: Implement proper access controls and data privacy measures</li>
</ol>
<p>A few best practices:</p>
<ul class="wp-block-list">
<li><strong>Start small</strong>: Begin with one integration and gradually expand your usage</li>
<li><strong>Maintain documentation</strong>: Keep your knowledge bases and documentation current for optimal AI assistance</li>
<li><strong>Regularly review Copilot’s outputs</strong>: Periodically audit AI-generated suggestions to ensure quality and security</li>
<li><strong>Build team alignment</strong>: Ensure your team understands and adopts consistent MCP usage patterns</li>
</ul>
<p>The five integration patterns we’ve explored represent just the beginning of what’s possible. As MCP’s ecosystem grows, new tools and integrations will continue to expand what’s possible.</p>
<div class="wp-block-group post-content-cta has-global-padding is-layout-constrained wp-block-group-is-layout-constrained">
<p><strong>Get started</strong> with our <a href="https://docs.github.com/en/copilot/tutorials/enhancing-copilot-agent-mode-with-mcp">remote MCP server ></a></p>
</div>
</body></html>
<p>The post <a href="https://github.blog/ai-and-ml/github-copilot/5-ways-to-transform-your-workflow-using-github-copilot-and-mcp/">5 ways to transform your workflow using GitHub Copilot and MCP</a> appeared first on <a href="https://github.blog">The GitHub Blog</a>.</p>
]]></content:encoded>
<post-id xmlns="com-wordpress:feed-additions:1">89268</post-id> </item>
<item>
<title>From idea to PR: A guide to GitHub Copilot’s agentic workflows</title>
<link>https://github.blog/ai-and-ml/github-copilot/from-idea-to-pr-a-guide-to-github-copilots-agentic-workflows/</link>
<dc:creator><![CDATA[Chris Reddington]]></dc:creator>
<pubDate>Tue, 01 Jul 2025 18:57:22 +0000</pubDate>
<category><![CDATA[AI & ML]]></category>
<category><![CDATA[GitHub Copilot]]></category>
<category><![CDATA[agentic AI]]></category>
<category><![CDATA[generative AI]]></category>
<guid isPermaLink="false">https://github.blog/?p=89198</guid>
<description><![CDATA[<p>A practical guide to GitHub Copilot’s agentic coding agent, chat modes, and remote MCP server so you turn issues into tested PRs with clear steps (and no hype).</p>
<p>The post <a href="https://github.blog/ai-and-ml/github-copilot/from-idea-to-pr-a-guide-to-github-copilots-agentic-workflows/">From idea to PR: A guide to GitHub Copilot’s agentic workflows</a> appeared first on <a href="https://github.blog">The GitHub Blog</a>.</p>
]]></description>
<content:encoded><![CDATA[<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">
<html><body><p>I got into software to ship ideas, not to chase down hard-coded strings after a late-breaking feature request. Unfortunately, many of our day-to-day tasks as developers involve branches working on boilerplate code, refactoring, and the “pre-work” to get to the fun stuff: shipping new features.</p>
<p>So I turned to Copilot’s agentic workflows to help speed along some of that grunt work. In my latest <strong>Rubber Duck Thursdays</strong> live stream, I put that theory to the test in a project where I wanted to localize an application that used:</p>
<ul class="wp-block-list">
<li><strong>Tech stack:</strong> a <strong>Next.js</strong> web app and a matching <strong>SwiftUI</strong> iOS app living in two separate GitHub repos.</li>
<li><strong>Environment:</strong> spun up rapidly in <strong>Codespaces</strong> (on-demand dev environment) and <strong>Xcode 16</strong> for the mobile portion.</li>
<li><strong>Task:</strong> an issue built from a couple of paragraphs to “Add English, French, and Spanish localization.”</li>
<li><strong>Copilot tools:</strong> <a href="https://docs.github.com/en/copilot/concepts/about-assigning-tasks-to-copilot"><strong>coding agent</strong></a> (to turn that issue into a PR), a <a href="https://code.visualstudio.com/docs/copilot/chat/chat-modes#_chat-mode-file-example">custom <strong>planning chat mode</strong></a><strong> </strong>(to try out the new preview capabilities in VS Code), and the new <strong>remote </strong><a href="https://github.com/github/github-mcp-server?tab=readme-ov-file#usage-with-vs-code"><strong>GitHub MCP server</strong></a> (so we can avoid managing those dependencies in our dev environment).</li>
</ul>
<p>By the end of my stream, that idea became a GitHub issue, which turned into a fully tested, review-ready PR while I fielded chat questions, and learned about the preview custom chat mode features in VS Code.</p>
<p>Let’s dive in.</p>
<figure class="wp-block-embed is-type-video is-provider-youtube wp-block-embed-youtube wp-embed-aspect-16-9 wp-has-aspect-ratio"><div class="wp-block-embed__wrapper">
<iframe title="Rubber Duck Thursdays - Let's build" width="500" height="281" src="https://www.youtube.com/embed/UXAbtYbxD_w?feature=oembed" frameborder="0" allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share" referrerpolicy="strict-origin-when-cross-origin" allowfullscreen></iframe>
</div></figure>
<h2 class="wp-block-heading" id="h-why-i-use-agentic-workflows">Why I use agentic workflows</h2>
<p>Even seasoned developers and teams still burn hours on jobs like:</p>
<ul class="wp-block-list">
<li>Turning vague requests into well-scoped issues</li>
<li>Hunting down every file in a cross-cutting refactor</li>
<li>Writing the same unit-test scaffolding again and again</li>
</ul>
<p>Copilot’s ability to create issues, along with its coding agent, custom chat modes in VS Code, and the new remote MCP backend fold those chores into one tight loop—issue to PR—while you stay firmly in the driver’s seat. You still review, tweak, and decide when to merge, but you skip the drudgery.</p>
<h2 class="wp-block-heading" id="h-key-capabilities-covered-in-this-livestream-nbsp">Key capabilities covered in this livestream </h2>
<figure class="wp-block-table"><table class="has-fixed-layout"><thead><tr><th><strong>Capability</strong></th><th><strong>What it does</strong></th><th><strong>Why it matters</strong></th><th><strong>How to enable and use it</strong></th></tr></thead><tbody><tr><td>Coding agent</td><td>Turns any GitHub Issue you assign to Copilot into a PR, and works on that task asynchronously.</td><td>Allows you to offload the boilerplate work while you focus on reviews and edge case logic.</td><td><a href="https://docs.github.com/en/copilot/how-tos/agents/copilot-coding-agent/enabling-copilot-coding-agent">Learn how to enable Copilot coding agent</a>. </td></tr><tr><td>Create issues with Copilot</td><td>Converts a natural-language prompt into a well-structured Issue with title, body, acceptance criteria, and file hints.</td><td>Saves PM/eng refining and sets team members, or Copilot coding agent, up with the context they need to work effectively.</td><td>Navigate to <a href="http://github.com/copilot">github.com/copilot</a> and write a prompt to create an issue. <a href="https://docs.github.com/en/copilot/how-tos/github-flow/using-github-copilot-to-create-issues">Learn more about using Copilot to create issues.</a></td></tr><tr><td>Custom chat modes (in preview in VS Code)</td><td>Lets you script repeatable AI workflows (e.g., <em>Planning</em>, <em>Refactor</em>, <em>Test-Writer</em>) that appear alongside the default <em>Ask</em> / <em>Edit</em> / <em>Agent</em> chat modes.</td><td>Allows you to package instructions and relevant tools for easier use, helping your team follow similar conventions.</td><td>Add a <code>.chatmode.md</code> file to your repo; available in preview in VS Code release 1.101. <a href="https://code.visualstudio.com/docs/copilot/chat/chat-modes#_custom-chat-modes">Learn more about custom chat modes in VS Code</a>.<br></td></tr><tr><td>Remote GitHub MCP Server</td><td>Allows AI tools to access live GitHub context and tools, like issues, pull requests and code files. With the remote GitHub MCP server, you don’t need to install it locally, and can even authenticate with OAuth 2.0.</td><td>Provides a smooth experience to accessing the GitHub MCP server, reducing the management overhead of a local server.</td><td>Update your MCP configuration with <a href="https://github.com/github/github-mcp-server?tab=readme-ov-file#usage-with-vs-code">the example shown in the remote GitHub MCP Server documentation</a>. </td></tr><tr><td>Copilot agent mode</td><td>Copilot agent mode is a real‑time collaborator that sits in your editor, works with you, and edits files based on your needs. Unlike the coding agent, Copilot agent mode works synchronously with you.</td><td>Think of agent mode as the senior dev pair programming with you. It has access to several tools (like reading/writing code, running commands in the terminal, executing tools on MCP servers), and works alongside you.</td><td>Copilot agent mode is available in several IDEs including <a href="https://code.visualstudio.com/docs/copilot/chat/chat-agent-mode">VS Code</a>, <a href="https://learn.microsoft.com/en-us/visualstudio/ide/copilot-agent-mode?view=vs-2022">Visual Studio</a>, <a href="https://plugins.jetbrains.com/plugin/17718-github-copilot">JetBrains</a> (public preview), <a href="https://marketplace.eclipse.org/content/github-copilot">Eclipse</a> (public preview) and <a href="https://github.com/github/copilotforXcode/">Xcode</a> (public preview).</td></tr></tbody></table></figure>
<h2 class="wp-block-heading" id="h-what-you-need-to-achieve-a-similar-outcome">What you need to achieve a similar outcome</h2>
<ol class="wp-block-list">
<li>A GitHub repo you can push to</li>
<li>A Copilot subscription with <strong>coding agent</strong> enabled. (Did you know it’s now available for all paid tiers of GitHub Copilot including <a href="https://github.blog/changelog/2025-06-24-github-copilot-coding-agent-is-now-available-for-copilot-business-users/">Copilot Business</a> and <a href="https://github.blog/changelog/2025-06-25-github-copilot-coding-agent-is-available-for-copilot-pro-users-in-public-preview/">Copilot Pro</a>?)</li>
<li>VS Code 1.101+ with the latest Copilot extension.</li>
<li>Either: <strong>GitHub Remote MCP server</strong> (update your MCP configuration), or a local GitHub MCP server.</li>
</ol>
<h2 class="wp-block-heading" id="h-walk-through-localizing-a-next-js-app">Walk-through: localizing a Next.js app</h2>
<p>Here’s the exact flow I demoed on the most recent <em>Rubber Duck Thursdays</em> stream.</p>
<h3 class="wp-block-heading" id="h-1-capture-the-request-as-a-github-issue">1. Capture the request as a GitHub Issue</h3>
<p>Go to the <a href="https://github.com/copilot">immersive view of Copilot Chat</a>. At the bottom of the page, in the “Ask Copilot” box, describe what you want. For example, below is the prompt that I used. </p>
<pre class="wp-block-code language-plaintext"><code>Create a GitHub Issue that brings i11n capability to the application. We must support English, French and Spanish.
The user must be able to change their language in their profile page. When they change the language, it must apply immediately across the site.
Please include an overview/problem statement in the issue, a set of acceptance criteria, and pointers on which files need updating/creating.</code></pre>
<p>Copilot drafts that into an issue, which includes a title, acceptance criteria, and a loose action plan. From there, you can assign that issue to Copilot, and let it cook in the background. </p>
<figure class="wp-block-embed is-type-video is-provider-youtube wp-block-embed-youtube wp-embed-aspect-16-9 wp-has-aspect-ratio"><div class="wp-block-embed__wrapper">
<iframe title="Create an Issue with GitHub Copilot" width="500" height="281" src="https://www.youtube.com/embed/QtVr1SjLYzA?feature=oembed" frameborder="0" allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share" referrerpolicy="strict-origin-when-cross-origin" allowfullscreen></iframe>
</div></figure>
<h3 class="wp-block-heading" id="h-2-let-the-coding-agent-turn-the-issue-into-a-pr">2. Let the coding agent turn the issue into a PR</h3>
<p>Shortly after assignment, the coding agent:</p>
<ol class="wp-block-list">
<li>Creates a branch</li>
<li>Starts a new session. If you <a href="https://docs.github.com/en/copilot/how-tos/agents/copilot-coding-agent/customizing-the-development-environment-for-copilot-coding-agent">have a copilot-setup-steps.yml configured</a>, then a development environment will be configured before Copilot gets to work.</li>
<li>Reviews the task at hand, explores the current state of the codebase, and forms a plan to complete the task.</li>
<li>If you have <a href="https://docs.github.com/en/copilot/how-tos/agents/copilot-coding-agent/best-practices-for-using-copilot-to-work-on-tasks#adding-custom-instructions-to-your-repository">any custom instructions configured</a>, then the coding agent will also use those as context. For example, we specify that npm run lint and npm run test should pass before committing.</li>
<li>Once complete, it opens a draft PR for your review.</li>
</ol>
<p>While that runs, you can keep coding, use it as an opportunity to learn (like we learned about custom chat modes) or grab a coffee.</p>
<h3 class="wp-block-heading" id="h-3-review-the-pr-like-you-normally-would">3. Review the PR like you normally would</h3>
<p>Whether it’s a colleague, collaborator, or Copilot writing the code, you still need a reviewer. So it’s important to make sure you look the code over carefully, just like you would any other pull request.</p>
<ol class="wp-block-list">
<li>Start by reviewing the body of the pull request, which Copilot will have helpfully kept up to date.</li>
<li>Then, review the code changes in the files changed tab, understanding what has changed and why. I also like to take a look at the coding agent session to understand the approach Copilot took to solving the problem.</li>
<li>Once you are comfortable, you may want to try the code out manually in a GitHub Codespace. Or, you may want to run any existing CI checks through your GitHub Actions workflows. But again, make sure you have carefully reviewed the code before executing it.</li>
<li>All being well, you will have green check marks being returned from your CI. </li>
</ol>
<p>However, there’s always a possibility that you encounter failures, or spot some changes in your manual testing. For example, I spotted some hard-coded strings that the agent hadn’t addressed. Once again, we approach this just like we would any other pull request. We can post our feedback in a comment. For example, here’s the comment I used:</p>
<p>That’s a great start. However, there are a lot of pages which are hardcoded in English still. For example, the flight search/bookings page, the check reservation page. Can you implement the localization on those pages, please?</p>
<p>Copilot will react to the comment once again, and get to work in another session. </p>
<h2 class="wp-block-heading" id="h-level-up-your-workflows-with-custom-chat-modes">Level up your workflows with custom chat modes</h2>
<p>If you’re using VS Code as your daily driver with GitHub Copilot, then you’re probably used to the <a href="https://github.blog/ai-and-ml/github-copilot/copilot-ask-edit-and-agent-modes-what-they-do-and-when-to-use-them/">ask, edit and agent chat modes</a>. But in the <a href="https://code.visualstudio.com/updates/v1_101">VS Code 1.101 release</a>, the team has added custom chat modes in preview. This allows you to package instructions and relevant tools for easier use. For example, I built upon <a href="https://code.visualstudio.com/docs/copilot/chat/chat-modes#_chat-mode-file-example">the VS Code team’s “Plan” chat mode example</a>:</p>
<ol class="wp-block-list">
<li>Open the command palette in Visual Studio Code</li>
<li>Type <strong>Configure Chat Modes</strong></li>
<li>Select <strong>Create new custom chat mode file</strong>.<strong> </strong>You’ll be asked to save it either in the workspace (to allow collaborating with others), or in the local user data folder (for your use). We opted for the workspace option.</li>
<li>Enter the name. This is the name that will appear in the chat mode selection box, so pay attention to any capitalization.</li>
<li>You should see a new file has been created with the extension <code>.chatmode.md</code>. This is where you can configure the instructions, and the available tools for your new custom chat mode.</li>
</ol>
<figure class="wp-block-embed is-type-video is-provider-youtube wp-block-embed-youtube wp-embed-aspect-16-9 wp-has-aspect-ratio"><div class="wp-block-embed__wrapper">
<iframe loading="lazy" title="GitHub Copilot Chat in VS Code" width="500" height="281" src="https://www.youtube.com/embed/v5Wqs7s5scg?feature=oembed" frameborder="0" allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share" referrerpolicy="strict-origin-when-cross-origin" allowfullscreen></iframe>
</div></figure>
<p>Below is the example that we used in the livestream, slightly modified from the VS Code team’s docs example. We’ve added the create_issue tool to the list of allowed tools, adjusted our expectations of what’s included in the issue and added an instruction about creating the issue with the `create_issue` tool once revisions are complete and approved by the user.</p>
<pre class="wp-block-code language-plaintext"><code>---
description: Generate an implementation plan for new features or refactoring existing code.
tools: ['codebase', 'fetch', 'findTestFiles', 'githubRepo', 'search', 'usages', 'github', 'create_issue']
---
# Planning mode instructions
You are in planning mode. Your task is to generate an implementation plan for a new feature or for refactoring existing code.
Don't make any code edits, just generate a plan.
The plan consists of a Markdown document that describes the implementation plan, including the following sections:
* Overview: A brief description of the feature or refactoring task.
* Requirements: A list of requirements for the feature or refactoring task.
* Implementation Steps: A detailed list of steps to implement the feature or refactoring task.
* Testing: A list of tests that need to be implemented to verify the feature or refactoring task.
Once the plan is complete, ask the user if they would like to create a GitHub issue for this implementation plan. If they respond affirmatively, proceed to create the issue using the `create_issue` tool.</code></pre>
<p>When the file is available in your teammate’s local repositories (so they’ve pulled the changes locally), VS Code surfaces the mode in the chat dropdown, allowing you to configure chat modes that are consistent and convenient across your team.</p>
<h2 class="wp-block-heading" id="h-remote-mcp-removing-the-local-setup">Remote MCP: removing the local setup</h2>
<p>You may be used to running MCP locally through npm packages or as docker containers. However, remote MCP servers allow you to reduce the management overhead of running these tools locally. There may be other benefits too. For example, the remote GitHub MCP Servers allows you to authenticate using OAuth 2.0 instead of Personal Access Tokens.</p>
<p>To use the GitHub Remote MCP Server in VS Code, you’ll need to update the MCP configuration. You can find the instructions on how to do that <a href="https://github.com/github/github-mcp-server?tab=readme-ov-file#remote-github-mcp-server">in the GitHub MCP Server repository</a>.</p>
<figure class="wp-block-table"><table class="has-fixed-layout"><tbody><tr><td>💡 <strong>Note:</strong> Did you know that <a href="https://github.com/github/github-mcp-server">the GitHub MCP Server is open source</a>? Take a look through the codebase or raise an issue. Who knows? Maybe you’ll even end up becoming a contributor!</td></tr></tbody></table></figure>
<figure class="wp-block-embed is-type-video is-provider-youtube wp-block-embed-youtube wp-embed-aspect-16-9 wp-has-aspect-ratio"><div class="wp-block-embed__wrapper">
<iframe loading="lazy" title="GitHub Remote MCP Server" width="500" height="281" src="https://www.youtube.com/embed/IZ0UICnVQwU?feature=oembed" frameborder="0" allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share" referrerpolicy="strict-origin-when-cross-origin" allowfullscreen></iframe>
</div></figure>
<h2 class="wp-block-heading" id="h-going-mobile-copilot-agent-mode-in-xcode">Going mobile: Copilot agent mode in Xcode</h2>
<p>While we didn’t show it in depth, I quickly walked through one of my previous agent mode sessions in Xcode. It showed how I gave a similar prompt to Copilot, asking to add internationalization to the app, which we were able to see in the main navigation bar of the app running in the simulator.</p>
<pre class="wp-block-code language-plaintext"><code>We need to implement internationalization in the app. Please make the following changes:
1. The user can select from suported languages (English, Spanish, French) from a dropdown in their profile.
2. The main tab view should support internationalization. No other parts of the app should be changed for now.
3. When the user changes the language, it should update the rendered text instantly.</code></pre>
<h2 class="wp-block-heading" id="h-dos-and-don-ts">Dos and don’ts</h2>
<figure class="wp-block-table"><table class="has-fixed-layout"><thead><tr><th><strong>✅ Do</strong></th><th><strong>❌ Don’t</strong></th></tr></thead><tbody><tr><td>Keep issues tightly scoped</td><td>Ask the agent to “re-architect the app”</td></tr><tr><td>Provide acceptance criteria</td><td>Assume the agent knows your intent</td></tr><tr><td>Carefully review the changes made</td><td>Execute code or merge a PR without a review</td></tr><tr><td>Iterate with Copilot. How often do you get something right on the first shot?</td><td>Expect perfection first time</td></tr></tbody></table></figure>
<h2 class="wp-block-heading" id="h-try-it-yourself">Try it yourself</h2>
<ul class="wp-block-list">
<li><a href="https://docs.github.com/en/copilot/how-tos/agents/copilot-coding-agent/enabling-copilot-coding-agent">Enable Copilot coding agent</a> and assign work to Copilot in the background.</li>
<li><a href="https://code.visualstudio.com/docs/copilot/chat/chat-modes#_custom-chat-modes">Configure custom chat modes</a> in VS Code Release 1.101.</li>
<li><a href="https://github.com/github/github-mcp-server?tab=readme-ov-file#remote-github-mcp-server">Configure the Remote GitHub MCP server</a> to reduce local management efforts.</li>
<li>Use Copilot agent mode in <a href="https://code.visualstudio.com/docs/copilot/chat/chat-agent-mode">VS Code</a>, <a href="https://learn.microsoft.com/en-us/visualstudio/ide/copilot-agent-mode?view=vs-2022">Visual Studio</a>, <a href="https://plugins.jetbrains.com/plugin/17718-github-copilot">JetBrains</a> (public preview), <a href="https://marketplace.eclipse.org/content/github-copilot">Eclipse</a> (public preview) and <a href="https://github.com/github/copilotforXcode/">Xcode</a> (public preview).</li>
</ul>
<h2 class="wp-block-heading" id="h-next-steps">Next steps</h2>
<ul class="wp-block-list">
<li><a href="https://www.youtube.com/watch?v=UXAbtYbxD_w"><strong>Watch the full replay</strong> of the stream</a> for a step-by-step walkthrough.</li>
<li>Dive into the Copilot coding agent and MCP docs for more details.</li>
<li>Tell me what you automate first—let us know on social by tagging <code>@github</code> with what you’ve been working on!</li>
<li><a href="https://gh.io/rubberduckthursdays">Join us for the next episode of Rubber Duck Thursdays</a>.</li>
</ul>
<p>Agentic workflows within GitHub Copilot aren’t magic; they’re tools. When a single click can help reduce technical debt (or knock out any other repetitive task you dread), why not let Copilot handle the boilerplate while you tackle the more challenging, fun, and creative problems?</p>
</body></html>
<p>The post <a href="https://github.blog/ai-and-ml/github-copilot/from-idea-to-pr-a-guide-to-github-copilots-agentic-workflows/">From idea to PR: A guide to GitHub Copilot’s agentic workflows</a> appeared first on <a href="https://github.blog">The GitHub Blog</a>.</p>
]]></content:encoded>
<post-id xmlns="com-wordpress:feed-additions:1">89198</post-id> </item>
<item>
<title>Understand your software’s supply chain with GitHub’s dependency graph</title>
<link>https://github.blog/security/supply-chain-security/understand-your-softwares-supply-chain-with-githubs-dependency-graph/</link>
<dc:creator><![CDATA[Andrea Griffiths]]></dc:creator>
<pubDate>Tue, 01 Jul 2025 16:00:00 +0000</pubDate>
<category><![CDATA[Security]]></category>
<category><![CDATA[Supply chain security]]></category>
<category><![CDATA[Dependabot]]></category>
<category><![CDATA[dependency graph]]></category>
<category><![CDATA[supply chain]]></category>
<guid isPermaLink="false">https://github.blog/?p=89188</guid>
<description><![CDATA[<p>The GitHub dependency graph maps every direct and transitive dependency in your project, so you can identify risks, prioritize fixes, and keep your code secure.</p>
<p>The post <a href="https://github.blog/security/supply-chain-security/understand-your-softwares-supply-chain-with-githubs-dependency-graph/">Understand your software’s supply chain with GitHub’s dependency graph</a> appeared first on <a href="https://github.blog">The GitHub Blog</a>.</p>
]]></description>
<content:encoded><![CDATA[<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">
<html><body><p>What if you could spot the weakest link in your software supply chain before it breaks?</p>
<p>With GitHub’s <a href="https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-the-dependency-graph">dependency graph</a>, you can. By providing a clear, complete view of the external packages your code depends on, both directly and indirectly, it allows you to understand, secure, and manage your project’s true footprint.</p>
<p>If you’re like me and sometimes lose track of what’s actually powering your applications (we’ve all been there!), GitHub’s dependency graph is about to become your new best friend. </p>
<h2 class="wp-block-heading" id="h-what-is-the-dependency-graph">What is the dependency graph?</h2>
<p>Here’s the thing: Every modern software project is basically an iceberg. That small manifest file with your direct dependencies seems quite harmless at first glance. But underneath? There’s this massive, hidden world of transitive dependencies that most of us never think about. The GitHub dependency graph maps this entire underwater world. Think of it like a family tree, but for your code. Each package is a family member, and each dependency relationship shows who’s related to whom (and trust me, some of these family trees get <em>really</em> complicated).</p>
<p>Each package is a node. Each dependency relationship is an edge. The result? A full visual and structured representation of your software’s external codebase.</p>
<blockquote class="wp-block-quote is-layout-flow wp-block-quote-is-layout-flow">
<p>In some cases, 95–97% of your code is actually someone else’s. The dependency graph helps you make sense of that reality.</p>
<cite>GitHub engineer <a href="https://github.com/ahpook">Eric Sorenson</a></cite></blockquote>
<p>Let that sink in for a moment. We’re basically curators of other people’s work, and the dependency graph finally helps us make sense of that reality.</p>
<h2 class="wp-block-heading" id="h-why-it-matters">Why it matters</h2>
<p>When vulnerabilities are discovered in open source packages, the consequences ripple downstream. If you don’t know a vulnerable dependency is part of your project, it’s hard to take action.</p>
<p>The dependency graph isn’t just a cool visualization (though it is pretty neat to look at). It’s the foundation that makes <a href="https://github.com/dependabot">Dependabot</a> alerts possible. When a security issue is found in any of your dependencies (even a transitive one), GitHub notifies you. You get the full picture of what’s in your supply chain, how it got there, and what you can actually do about it.</p>
<h2 class="wp-block-heading" id="h-see-it-in-action-from-21-to-1-000-dependencies">See it in action: From 21 to 1,000 dependencies</h2>
<figure class="wp-block-embed is-type-video is-provider-youtube wp-block-embed-youtube wp-embed-aspect-16-9 wp-has-aspect-ratio"><div class="wp-block-embed__wrapper">
<iframe loading="lazy" title="How 21 dependencies become 1,000: Understanding your software supply chain | GitHub Checkout" width="500" height="281" src="https://www.youtube.com/embed/gGQXIfLNmB0?feature=oembed" frameborder="0" allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share" referrerpolicy="strict-origin-when-cross-origin" allowfullscreen></iframe>
</div></figure>
<p>Eric showed us a project that looked innocent enough:</p>
<ul class="wp-block-list">
<li><strong>21 direct dependencies</strong> (the ones actually listed in package.json)</li>
<li><strong>1,000 total dependencies</strong> (including everything that got pulled in along the way)</li>
</ul>
<p>With the dependency graph, you can finally:</p>
<ul class="wp-block-list">
<li><strong>Understand which dependencies are direct vs. transitive</strong></li>
<li><strong>Trace how a package like Log4j ended up in your codebase.</strong> (Spoiler: it probably came along for the ride with something else.)</li>
<li><strong>Know what’s yours to fix and what depends on an upstream maintainer</strong></li>
</ul>
<h2 class="wp-block-heading" id="h-tighten-your-supply-chain-with-dependabot">Tighten your supply chain with Dependabot</h2>
<p>Dependabot runs on top of the dependency graph—so enabling the graph is what makes Dependabot’s vulnerability alerts and automatic fix suggestions possible. </p>
<p>Pro tip: Filter for direct dependencies first. These are the ones you can actually control, so focus your energy there instead of pulling your hair out over transitive dependencies that are someone else’s responsibility.</p>
<h2 class="wp-block-heading" id="h-how-to-enable-the-dependency-graph">How to enable the dependency graph</h2>
<p>You can enable the dependency graph in your repository settings under <strong>Security > Dependency Graph</strong>. If you turn on <strong>Dependabot</strong>, the graph will be enabled automatically.</p>
<p>Using GitHub Actions? Community-maintained actions can generate a Software Bill of Materials (SBOM) and submit it to GitHub’s Dependency submission API, even if your language ecosystem doesn’t support auto-discovery.</p>
<p>✅ <strong>The best part?</strong> Dependency graph and Dependabot alerts are free for all repositories.</p>
<h2 class="wp-block-heading" id="h-tl-dr">TL;DR</h2>
<p>You can’t secure what you can’t see. GitHub’s dependency graph gives you visibility into the 90%+ of your codebase that comes from open source libraries and helps you take action when it counts.</p>
<ul class="wp-block-list">
<li><strong>Enable it today </strong>(seriously, do it now)</li>
<li><strong>Use it with Dependabot for automated alerts and fixes</strong></li>
<li><strong>Finally discover what’s actually in your software supply chain</strong></li>
</ul>
<p>Your future self (and your security team) will thank you.</p>
<div class="wp-block-group post-content-cta has-global-padding is-layout-constrained wp-block-group-is-layout-constrained">
<p>Want to learn more about the GitHub dependency graph? <a href="https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-the-dependency-graph">Explore the documentation ></a></p>
</div>
</body></html>
<p>The post <a href="https://github.blog/security/supply-chain-security/understand-your-softwares-supply-chain-with-githubs-dependency-graph/">Understand your software’s supply chain with GitHub’s dependency graph</a> appeared first on <a href="https://github.blog">The GitHub Blog</a>.</p>
]]></content:encoded>
<post-id xmlns="com-wordpress:feed-additions:1">89188</post-id> </item>
<item>
<title>GitHub Advisory Database by the numbers: Known security vulnerabilities and what you can do about them</title>
<link>https://github.blog/security/github-advisory-database-by-the-numbers-known-security-vulnerabilities-and-what-you-can-do-about-them/</link>
<dc:creator><![CDATA[Jonathan Evans]]></dc:creator>
<pubDate>Fri, 27 Jun 2025 16:00:00 +0000</pubDate>
<category><![CDATA[Security]]></category>
<category><![CDATA[CNA]]></category>
<category><![CDATA[Community Contribution]]></category>
<category><![CDATA[CVE]]></category>
<category><![CDATA[CVE Numbering Authority]]></category>
<category><![CDATA[CVSS]]></category>
<category><![CDATA[CWE]]></category>
<category><![CDATA[EPSS]]></category>
<category><![CDATA[GitHub Security Lab]]></category>
<category><![CDATA[open source security]]></category>
<guid isPermaLink="false">https://github.blog/?p=89136</guid>
<description><![CDATA[<p>Use these insights to automate software security (where possible) to keep your projects safe.</p>
<p>The post <a href="https://github.blog/security/github-advisory-database-by-the-numbers-known-security-vulnerabilities-and-what-you-can-do-about-them/">GitHub Advisory Database by the numbers: Known security vulnerabilities and what you can do about them</a> appeared first on <a href="https://github.blog">The GitHub Blog</a>.</p>
]]></description>
<content:encoded><![CDATA[<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">
<html><body><p>The <a href="https://github.com/advisories">GitHub Advisory Database</a> (Advisory DB) is a vital resource for developers, providing a comprehensive list of known security vulnerabilities and malware affecting open source packages. This post analyzes trends in the Advisory DB, highlighting the growth in reviewed advisories, ecosystem coverage, and source contributions in 2024. We’ll delve into how GitHub provides actionable data to secure software projects.</p>
<h2 class="wp-block-heading" id="h-advisories">Advisories</h2>
<p>The GitHub Advisory Database contains a list of known security vulnerabilities and malware, grouped in three categories: </p>
<ul class="wp-block-list">
<li><strong>GitHub-reviewed advisories:</strong> Manually reviewed advisories in software packages that GitHub supports.</li>
<li><strong>Unreviewed advisories:</strong> These are automatically pulled from the National Vulnerability Database (NVD) and are either in the process of being reviewed, do not affect a supported package, or do not discuss a valid vulnerability.</li>
<li><strong>Malware advisories:</strong> These are specific to malware threats identified by the npm security team.</li>
</ul>
<h3 class="wp-block-heading" id="h-reviewed-advisories">Reviewed advisories</h3>
<p>GitHub-reviewed advisories are security vulnerabilities that have been mapped to packages in ecosystems we support. We carefully review each advisory for validity and ensure that they have a full description, and contain both ecosystem and package information.</p>
<p>Every year, GitHub increases the number of advisories we publish. We have been able to do this due to the increase in advisories coming from our sources (see Sources section below), expanding our ecosystem coverage (also described below), and review campaigns of advisories published before we started the database. </p>
<figure class="wp-block-image size-large"><img data-recalc-dims="1" loading="lazy" decoding="async" height="633" width="1024" src="https://github.blog/wp-content/uploads/2025/06/advisory1.png?resize=1024%2C633" alt="The bar graph shows the number of reviewed advisories added each year. The graph starts with 385 advisories added in 2019, shows an increase over time, and ends with 5256 advisories added in 2024." class="wp-image-89147" srcset="https://github.blog/wp-content/uploads/2025/06/advisory1.png?w=1200 1200w, https://github.blog/wp-content/uploads/2025/06/advisory1.png?w=300 300w, https://github.blog/wp-content/uploads/2025/06/advisory1.png?w=768 768w, https://github.blog/wp-content/uploads/2025/06/advisory1.png?w=1024 1024w, https://github.blog/wp-content/uploads/2025/06/advisory1.png?w=512 512w, https://github.blog/wp-content/uploads/2025/06/advisory1.png?w=288 288w" sizes="auto, (max-width: 1000px) 100vw, 1000px" /></figure>
<p>In the past five years, the database has gone from fewer than 400 reviewed advisories to over 20,000 reviewed advisories in October of 2024.</p>
<figure class="wp-block-image size-large"><img data-recalc-dims="1" loading="lazy" decoding="async" height="601" width="1024" src="https://github.blog/wp-content/uploads/2025/06/advisory2.png?resize=1024%2C601" alt="The line graph shows the total reviewed advisories steadily increasing from 0 in 2019 to 20607 at the end of 2024." class="wp-image-89148" srcset="https://github.blog/wp-content/uploads/2025/06/advisory2.png?w=1308 1308w, https://github.blog/wp-content/uploads/2025/06/advisory2.png?w=300 300w, https://github.blog/wp-content/uploads/2025/06/advisory2.png?w=768 768w, https://github.blog/wp-content/uploads/2025/06/advisory2.png?w=1024 1024w" sizes="auto, (max-width: 1000px) 100vw, 1000px" /></figure>
<h3 class="wp-block-heading" id="unreviewed-advisories">Unreviewed advisories</h3>
<p>Unreviewed advisories are security vulnerabilities that we publish automatically into the GitHub Advisory Database directly from the National Vulnerability Database feed. The name is a bit of a misnomer as many of these advisories have actually been reviewed by a GitHub analyst. The reason why they fall into this category is because they are not found in a package in one of the supported ecosystems or are not discussing a valid vulnerability, and all have been reviewed by analysts other than someone from the GitHub Security Lab. Even though most of these advisories will never turn into a reviewed advisory, we still publish them so that you do not have to look in multiple databases at once.</p>
<figure class="wp-block-image size-large"><img data-recalc-dims="1" loading="lazy" decoding="async" height="386" width="1024" src="https://github.blog/wp-content/uploads/2025/06/advisory3.png?resize=1024%2C386" alt="The line graph shows the total number of advisories overtime. The graph shows a sudden jump in April 2022, when GitHub started publishing all vulnerabilities from the National Vulnerability Database feed. It then shows a gradual increase over time." class="wp-image-89149" srcset="https://github.blog/wp-content/uploads/2025/06/advisory3.png?w=1600 1600w, https://github.blog/wp-content/uploads/2025/06/advisory3.png?w=300 300w, https://github.blog/wp-content/uploads/2025/06/advisory3.png?w=768 768w, https://github.blog/wp-content/uploads/2025/06/advisory3.png?w=1024 1024w, https://github.blog/wp-content/uploads/2025/06/advisory3.png?w=1536 1536w" sizes="auto, (max-width: 1000px) 100vw, 1000px" /></figure>
<h3 class="wp-block-heading" id="malware">Malware</h3>
<p>Malware advisories relate to vulnerabilities caused by malware, and are security advisories that GitHub publishes automatically into the GitHub Advisory Database directly from information provided by the npm security team. Malware advisories are currently exclusive to the npm ecosystem. GitHub doesn’t edit or accept community contributions on these advisories.</p>
<figure class="wp-block-image size-large"><img data-recalc-dims="1" loading="lazy" decoding="async" height="509" width="1024" src="https://github.blog/wp-content/uploads/2025/06/advisory4.png?resize=1024%2C509" alt="The line graph shows the total malware advisories over time, from May 2022 to December 2024. The line shows a general upward trend in malware advisories over the period, ending at 13405 advisories." class="wp-image-89150" srcset="https://github.blog/wp-content/uploads/2025/06/advisory4.png?w=1494 1494w, https://github.blog/wp-content/uploads/2025/06/advisory4.png?w=300 300w, https://github.blog/wp-content/uploads/2025/06/advisory4.png?w=768 768w, https://github.blog/wp-content/uploads/2025/06/advisory4.png?w=1024 1024w" sizes="auto, (max-width: 1000px) 100vw, 1000px" /></figure>
<h2 class="wp-block-heading" id="ecosystem-coverage">Ecosystem coverage</h2>
<p>GitHub-reviewed advisories include security vulnerabilities that have been mapped to packages in ecosystems we support. Generally, we name our supported ecosystems after the software programming language’s associated package registry. We review advisories if they are for a vulnerability in a package that comes from a supported registry.</p>
<figure class="wp-block-table"><table class="has-fixed-layout"><thead><tr><th><strong>Ecosystem</strong></th><th><strong>Total advisories</strong></th><th><strong>Vulnerable packages</strong></th><th><strong>First added</strong></th></tr></thead><tbody><tr><td>pip (registry: <a href="https://pypi.org/">https://pypi.org/</a>)</td><td>3378</td><td>1044</td><td>2019-04-19</td></tr><tr><td>Maven (registry: <a href="https://repo.maven.apache.org/maven2">https://repo.maven.apache.org/maven2</a>)</td><td>5171</td><td>955</td><td>2019-04-22</td></tr><tr><td>Composer (registry: <a href="https://packagist.org/">https://packagist.org/</a>)</td><td>4238</td><td>812</td><td>2019-04-26</td></tr><tr><td>npm (registry: <a href="https://www.npmjs.com/">https://www.npmjs.com/</a>)</td><td>3653</td><td>2652</td><td>2019-04-26</td></tr><tr><td>RubyGems (registry: <a href="https://rubygems.org/">https://rubygems.org/</a>)</td><td>840</td><td>371</td><td>2019-04-26</td></tr><tr><td>NuGet (registry: <a href="https://www.nuget.org/">https://www.nuget.org/</a>)</td><td>651</td><td>489</td><td>2019-04-26</td></tr><tr><td>Go (registry: <a href="https://pkg.go.dev/">https://pkg.go.dev/</a>)</td><td>2011</td><td>865</td><td>2021-04-01</td></tr><tr><td>Rust (registry: <a href="https://crates.io/">https://crates.io/</a>)</td><td>857</td><td>553</td><td>2021-05-25</td></tr><tr><td>Erlang (registry: <a href="https://hex.pm/">https://hex.pm/</a>)</td><td>31</td><td>26</td><td>2022-01-27</td></tr><tr><td>GitHub Actions (<a href="https://github.com/marketplace?type=actions/">https://github.com/marketplace?type=actions/</a>)</td><td>21</td><td>21</td><td>2022-07-29</td></tr><tr><td>Pub (registry: <a href="https://pub.dev/packages/registry">https://pub.dev/packages/registry</a>)</td><td>10</td><td>9</td><td>2022-08-04</td></tr><tr><td>Swift (registry: N/A)</td><td>33</td><td>21</td><td>2023-05-10</td></tr></tbody></table></figure>
<figure class="wp-block-image size-large"><img data-recalc-dims="1" loading="lazy" decoding="async" height="633" width="1024" src="https://github.blog/wp-content/uploads/2025/06/advisory5.png?resize=1024%2C633" alt="The pie chart shows the proportion of advisories across different software ecosystems. Maven, Composer, npm, Pip, and Go are the largest ecosystems." class="wp-image-89151" srcset="https://github.blog/wp-content/uploads/2025/06/advisory5.png?w=1200 1200w, https://github.blog/wp-content/uploads/2025/06/advisory5.png?w=300 300w, https://github.blog/wp-content/uploads/2025/06/advisory5.png?w=768 768w, https://github.blog/wp-content/uploads/2025/06/advisory5.png?w=1024 1024w, https://github.blog/wp-content/uploads/2025/06/advisory5.png?w=512 512w, https://github.blog/wp-content/uploads/2025/06/advisory5.png?w=288 288w" sizes="auto, (max-width: 1000px) 100vw, 1000px" /></figure>
<p>Vulnerabilities in Maven and Composer packages are nearly half of the advisories in the database. npm, pip, and Go make up much of the rest, while the other ecosystems have a much smaller footprint.</p>
<p>This has not always been the case. When the database was initially launched, NPM advisories dominated the database, but as we have expanded our coverage and added support for new ecosystems, the distribution mix has changed.</p>
<figure class="wp-block-image size-large"><img data-recalc-dims="1" loading="lazy" decoding="async" height="539" width="1024" src="https://github.blog/wp-content/uploads/2025/06/advisory7.png?resize=1024%2C539" alt="The stacked area line graph shows the percentage distribution of various ecosystems from 2019 to 2024. The graph starts with half the advisories being for NPM but over time, other ecosystems like Maven and Composer become more prominent." class="wp-image-89152" srcset="https://github.blog/wp-content/uploads/2025/06/advisory7.png?w=1600 1600w, https://github.blog/wp-content/uploads/2025/06/advisory7.png?w=300 300w, https://github.blog/wp-content/uploads/2025/06/advisory7.png?w=768 768w, https://github.blog/wp-content/uploads/2025/06/advisory7.png?w=1024 1024w, https://github.blog/wp-content/uploads/2025/06/advisory7.png?w=1536 1536w, https://github.blog/wp-content/uploads/2025/06/advisory7.png?w=400 400w" sizes="auto, (max-width: 1000px) 100vw, 1000px" /></figure>
<h2 class="wp-block-heading" id="sources-where-do-the-advisories-come-from">Sources: Where do the advisories come from?</h2>
<p>We add advisories to the GitHub Advisory Database from the following sources:</p>
<figure class="wp-block-table"><table class="has-fixed-layout"><thead><tr><th><strong>Source</strong></th><th><strong>Advisories</strong></th><th><strong>Reviewed advisories</strong></th><th><strong>Sole source</strong></th><th><strong>Coverage</strong></th></tr></thead><tbody><tr><td><a href="https://nvd.nist.gov/">NVD</a></td><td>267429</td><td>18295</td><td>7450</td><td>6.84%</td></tr><tr><td><a href="https://docs.github.com/en/code-security/security-advisories/working-with-repository-security-advisories/about-repository-security-advisories">GitHub Repository Advisories</a></td><td>12247</td><td>5311</td><td>564</td><td>43.37%</td></tr><tr><td><a href="https://github.com/github/advisory-database/pulls">Community Contributions</a></td><td>4512</td><td>4160</td><td>10</td><td>92.20%</td></tr><tr><td><a href="https://github.com/pypa/advisory-database">PyPA Advisories</a></td><td>3040</td><td>2739</td><td>14</td><td>90.10%</td></tr><tr><td><a href="https://pkg.go.dev/vuln/">Go Vulncheck</a></td><td>1581</td><td>1528</td><td>7</td><td>96.65%</td></tr><tr><td><a href="https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm">NPM Advisories</a></td><td>1411</td><td>1408</td><td>629</td><td>99.79%</td></tr><tr><td><a href="https://github.com/FriendsOfPHP/security-advisories">FriendsOfPHP</a></td><td>1406</td><td>1396</td><td>400</td><td>99.29%</td></tr><tr><td><a href="https://rustsec.org/">RustSec</a></td><td>943</td><td>849</td><td>171</td><td>90.03%</td></tr><tr><td><a href="https://rubysec.com/">RubySec</a></td><td>873</td><td>861</td><td>4</td><td>98.63%</td></tr></tbody></table></figure>
<ul class="wp-block-list">
<li><strong>NVD:</strong> This is a huge source of vulnerabilities covering all types of software. We publish all NVD advisories but only review those relevant to our supported ecosystems, which reduces noise for our users.</li>
<li><strong>GitHub Repository Advisories:</strong> The second largest source is made up of advisories published through GitHub’s repository security advisory feature. Similar to NVD, these aren’t restricted to our supported ecosystems. However, we provide better coverage of the repository advisories because they focus exclusively on open source software.</li>
<li><strong>Community Contributions:</strong> These are reports from the community that are almost exclusively requesting updates to existing advisories.</li>
<li><strong>Other Specialized Sources:</strong> Sources like PyPA Advisories (for Python) and Go Vulncheck (for Go) that focus on specific ecosystems. Because they only cover packages within our supported ecosystems, most of their advisories are relevant to us and get reviewed.</li>
</ul>
<figure class="wp-block-image size-large"><img data-recalc-dims="1" loading="lazy" decoding="async" height="633" width="1024" src="https://github.blog/wp-content/uploads/2025/06/advisory8.png?resize=1024%2C633" alt="The pie graph shows the proportion of advisories by the number of sources they have. This shows that 46% of the advisories have only one source and 85% have three or fewer." class="wp-image-89153" srcset="https://github.blog/wp-content/uploads/2025/06/advisory8.png?w=1200 1200w, https://github.blog/wp-content/uploads/2025/06/advisory8.png?w=300 300w, https://github.blog/wp-content/uploads/2025/06/advisory8.png?w=768 768w, https://github.blog/wp-content/uploads/2025/06/advisory8.png?w=1024 1024w, https://github.blog/wp-content/uploads/2025/06/advisory8.png?w=512 512w, https://github.blog/wp-content/uploads/2025/06/advisory8.png?w=288 288w" sizes="auto, (max-width: 1000px) 100vw, 1000px" /></figure>
<p>If you add up the number of reviewed advisories from each source, you will find that total is more than the total reviewed advisories. This is because each source can publish an advisory for the same vulnerability. In fact, over half of our advisories have more than one source.</p>
<figure class="wp-block-image size-large"><img data-recalc-dims="1" loading="lazy" decoding="async" height="633" width="1024" src="https://github.blog/wp-content/uploads/2025/06/advisory9.png?resize=1024%2C633" alt="The pie graph shows the proportion of advisories that have a single source by the source they came from. The graph shows that 80% of all single sourced advisories come from the National Vulnerability Database." class="wp-image-89154" srcset="https://github.blog/wp-content/uploads/2025/06/advisory9.png?w=1200 1200w, https://github.blog/wp-content/uploads/2025/06/advisory9.png?w=300 300w, https://github.blog/wp-content/uploads/2025/06/advisory9.png?w=768 768w, https://github.blog/wp-content/uploads/2025/06/advisory9.png?w=1024 1024w, https://github.blog/wp-content/uploads/2025/06/advisory9.png?w=512 512w, https://github.blog/wp-content/uploads/2025/06/advisory9.png?w=288 288w" sizes="auto, (max-width: 1000px) 100vw, 1000px" /></figure>
<p>Of the advisories with a single source, nearly all of them come from NVD/CVE. This justifies NVD/CVE as a source, even though it is by far the noisiest.</p>
<figure class="wp-block-image size-large"><img data-recalc-dims="1" loading="lazy" decoding="async" height="633" width="1024" src="https://github.blog/wp-content/uploads/2025/06/advisory10.png?resize=1024%2C633" alt="The line graph shows the number of advisories imported over time. The graph shows an increase in imports over time." class="wp-image-89155" srcset="https://github.blog/wp-content/uploads/2025/06/advisory10.png?w=1200 1200w, https://github.blog/wp-content/uploads/2025/06/advisory10.png?w=300 300w, https://github.blog/wp-content/uploads/2025/06/advisory10.png?w=768 768w, https://github.blog/wp-content/uploads/2025/06/advisory10.png?w=1024 1024w, https://github.blog/wp-content/uploads/2025/06/advisory10.png?w=512 512w, https://github.blog/wp-content/uploads/2025/06/advisory10.png?w=288 288w" sizes="auto, (max-width: 1000px) 100vw, 1000px" /></figure>
<p>2024 saw a significant increase (39%) in the number of advisories imported from our sources. This is for the most part caused by an increase in the number of CVE records published.</p>
<h2 class="wp-block-heading" id="cve-numbering-authority">CVE Numbering Authority</h2>
<p>In addition to publishing advisories in the GitHub Advisory Database, we are also a <a href="https://docs.github.com/en/code-security/security-advisories/working-with-repository-security-advisories/about-repository-security-advisories#cve-identification-numbers">CVE Numbering Authority (CNA)</a> for any repository on GitHub. This means that we issue CVE IDs for vulnerabilities reported to us by maintainers, and we publish the vulnerabilities to the CVE database once the corresponding repository advisory is published.</p>
<p>GitHub published over 2,000 CVE records in 2024, making us the fifth-largest CNA in the CVE Program.</p>
<figure class="wp-block-image size-large"><img data-recalc-dims="1" loading="lazy" decoding="async" height="633" width="1024" src="https://github.blog/wp-content/uploads/2025/06/advisory11.png?resize=1024%2C633" alt="The bar graph shows the number of CVE records published by the Advisory Database CNA over time. Every year shows an increase in the number published." class="wp-image-89156" srcset="https://github.blog/wp-content/uploads/2025/06/advisory11.png?w=1200 1200w, https://github.blog/wp-content/uploads/2025/06/advisory11.png?w=300 300w, https://github.blog/wp-content/uploads/2025/06/advisory11.png?w=768 768w, https://github.blog/wp-content/uploads/2025/06/advisory11.png?w=1024 1024w, https://github.blog/wp-content/uploads/2025/06/advisory11.png?w=512 512w, https://github.blog/wp-content/uploads/2025/06/advisory11.png?w=288 288w" sizes="auto, (max-width: 1000px) 100vw, 1000px" /></figure>
<p>The GitHub CNA is open to <strong>all repositories</strong> on GitHub, not just ones in a supported ecosystem.</p>
<figure class="wp-block-image size-large"><img data-recalc-dims="1" loading="lazy" decoding="async" height="585" width="1024" src="https://github.blog/wp-content/uploads/2025/06/advisory12.png?resize=1024%2C585" alt="The pie graph shows the proportion of CVEs assigned by the Advisory Database that in a supported ecosystem. 58% are in a supported ecosystem and 42% are not." class="wp-image-89157" srcset="https://github.blog/wp-content/uploads/2025/06/advisory12.png?w=1298 1298w, https://github.blog/wp-content/uploads/2025/06/advisory12.png?w=300 300w, https://github.blog/wp-content/uploads/2025/06/advisory12.png?w=768 768w, https://github.blog/wp-content/uploads/2025/06/advisory12.png?w=1024 1024w" sizes="auto, (max-width: 1000px) 100vw, 1000px" /></figure>
<h2 class="wp-block-heading" id="advisory-prioritization">Advisory prioritization</h2>
<p>Given the constant deluge of reported vulnerabilities, you’ll want tools that can help you prioritize your remediation efforts. To that end, GitHub provides additional data in the advisory to allow readers to prioritize their vulnerabilities. In particular, there are:</p>
<ul class="wp-block-list">
<li><strong>Severity Rating/CVSS:</strong> A low to critical rating for how severe the vulnerability is likely to be, along with a corresponding CVSS score and vector.</li>
<li><strong>CWE:</strong> CWE identifiers provide a programmatic method for determining the type of vulnerability.</li>
<li><strong>EPSS:</strong> The Exploit Prediction Scoring System, or EPSS, is a system devised by the global Forum of Incident Response and Security Teams (FIRST) for quantifying the likelihood a vulnerability will be attacked in the next 30 days.</li>
</ul>
<p>GitHub adds a severity rating to every advisory. The severity level is one of four possible levels defined in the <a href="https://www.first.org/cvss/specification-document">Common Vulnerability Scoring System (CVSS), Section 5</a>.</p>
<ul class="wp-block-list">
<li>Low</li>
<li>Medium/Moderate</li>
<li>High</li>
<li>Critical</li>
</ul>
<p>Using these ratings, half of all vulnerabilities (15% are Critical and 35% are High) warrant immediate or near-term attention. By focusing remediation efforts on these, you can significantly reduce risk exposure while managing workload more efficiently.</p>
<figure class="wp-block-image size-large"><img data-recalc-dims="1" loading="lazy" decoding="async" height="633" width="1024" src="https://github.blog/wp-content/uploads/2025/06/advisory13.png?resize=1024%2C633" alt="The stacked area line graph shows the severity rating ration by year of advisory publication. The graph shows that critical vulnerabilities were more common (20 - 25 percent) early on and moderates becoming more common over the years." class="wp-image-89158" srcset="https://github.blog/wp-content/uploads/2025/06/advisory13.png?w=1200 1200w, https://github.blog/wp-content/uploads/2025/06/advisory13.png?w=300 300w, https://github.blog/wp-content/uploads/2025/06/advisory13.png?w=768 768w, https://github.blog/wp-content/uploads/2025/06/advisory13.png?w=1024 1024w, https://github.blog/wp-content/uploads/2025/06/advisory13.png?w=512 512w, https://github.blog/wp-content/uploads/2025/06/advisory13.png?w=288 288w" sizes="auto, (max-width: 1000px) 100vw, 1000px" /></figure>
<p>The CVSS specification says the base score we provide, “reflects the severity of a vulnerability according to its intrinsic characteristics which are constant over time and assumes the reasonable worst-case impact across different deployed environments.” However, the worst-case scenario for your deployment may not be the same as CVSS’s. After all, a crash in a word processor is not as severe as a crash in a server. In order to give more context to your prioritization, GitHub allows you to filter alerts based on the type of vulnerability or weakness using CWE identifiers. So you have the capability to never see another regular expression denial of service (<a href="https://cwe.mitre.org/data/definitions/1333.html">CWE-1333</a>) vulnerability again or always see SQL injection (<a href="https://cwe.mitre.org/data/definitions/89.html">CWE-89</a>) vulnerabilities.</p>
<figure class="wp-block-table"><table class="has-fixed-layout"><thead><tr><th><strong>Rank</strong></th><th><strong>CWE ID</strong></th><th><strong>CWE name</strong></th><th><strong>Number of advisories in 2024</strong></th><th><strong>Change in rank from 2023</strong></th></tr></thead><tbody><tr><td>1</td><td><a href="https://cwe.mitre.org/data/definitions/79.html">CWE-79</a></td><td>Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)</td><td>936</td><td>+0</td></tr><tr><td>2</td><td><a href="https://cwe.mitre.org/data/definitions/200.html">CWE-200</a></td><td>Exposure of Sensitive Information to an Unauthorized Actor</td><td>320</td><td>+0</td></tr><tr><td>3</td><td><a href="https://cwe.mitre.org/data/definitions/22.html">CWE-22</a></td><td>Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)</td><td>259</td><td>+2</td></tr><tr><td>4</td><td><a href="https://cwe.mitre.org/data/definitions/20.html">CWE-20</a></td><td>Improper Input Validation</td><td>202</td><td>+0</td></tr><tr><td>5</td><td><a href="https://cwe.mitre.org/data/definitions/94.html">CWE-94</a></td><td>Improper Control of Generation of Code (‘Code Injection’)</td><td>188</td><td>+2</td></tr><tr><td>6</td><td><a href="https://cwe.mitre.org/data/definitions/89.html">CWE-89</a></td><td>Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)</td><td>181</td><td>+3</td></tr><tr><td>7</td><td><a href="https://cwe.mitre.org/data/definitions/352.html">CWE-352</a></td><td>Cross-Site Request Forgery (CSRF)</td><td>161</td><td>-4</td></tr><tr><td>8</td><td><a href="https://cwe.mitre.org/data/definitions/284.html">CWE-284</a></td><td>Improper Access Control</td><td>153</td><td>+4</td></tr><tr><td>9</td><td><a href="https://cwe.mitre.org/data/definitions/400.html">CWE-400</a></td><td>Uncontrolled Resource Consumption</td><td>149</td><td>-3</td></tr><tr><td>10</td><td><a href="https://cwe.mitre.org/data/definitions/287.html">CWE-287</a></td><td>Improper Authentication</td><td>124</td><td>+11</td></tr></tbody></table></figure>
<p>Still drowning in vulnerabilities? Try using EPSS to focus on vulnerabilities likely to be attacked in the next 30 days. EPSS uses data from a <a href="https://www.first.org/epss/partners">variety of sources</a> to create a probability of whether exploitation attempts will be seen in the next 30 days for a given vulnerability. As you can see from the chart below, if you focus on vulnerabilities with EPSS scores of 10% or higher (approx. 7% of all vulnerabilities in the Advisory DB), you can cover nearly all of the vulnerabilities that are likely to see exploit activity.</p>
<figure class="wp-block-image size-large"><img data-recalc-dims="1" loading="lazy" decoding="async" height="633" width="1024" src="https://github.blog/wp-content/uploads/2025/06/advisory14.png?resize=1024%2C633" alt="The bar graph shows the number of advisories by EPSS probability. Most of the advisories are in the Low or Very Low probability." class="wp-image-89159" srcset="https://github.blog/wp-content/uploads/2025/06/advisory14.png?w=1200 1200w, https://github.blog/wp-content/uploads/2025/06/advisory14.png?w=300 300w, https://github.blog/wp-content/uploads/2025/06/advisory14.png?w=768 768w, https://github.blog/wp-content/uploads/2025/06/advisory14.png?w=1024 1024w, https://github.blog/wp-content/uploads/2025/06/advisory14.png?w=512 512w, https://github.blog/wp-content/uploads/2025/06/advisory14.png?w=288 288w" sizes="auto, (max-width: 1000px) 100vw, 1000px" /></figure>
<figure class="wp-block-table"><table class="has-fixed-layout"><thead><tr><th><strong>EPSS probability</strong></th><th><strong>Vulnerabilities in range</strong></th><th><strong>Percentage of overall vulnerabilities</strong></th><th><strong>Expected vulnerabilities in range attacked within the next 30 days</strong></th><th><strong>Percentage of total attacked vulnerabilities</strong></th></tr></thead><tbody><tr><td>High ( >= 10%)</td><td>1440</td><td>7.17%</td><td>741</td><td>85.96%</td></tr><tr><td>Moderate ( >= 1%, < 10%)</td><td>2687</td><td>13.37%</td><td>84</td><td>9.74%</td></tr><tr><td>Low ( >= 0.1%, < 1%)</td><td>10264</td><td>51.09%</td><td>35</td><td>4.06%</td></tr><tr><td>Very Low ( < 0.1%)</td><td>5701</td><td>28.37%</td><td>2</td><td>0.23%</td></tr></tbody></table></figure>
<p>Important caveats to remember when using EPSS:</p>
<ul class="wp-block-list">
<li>Low probability events occur.</li>
<li>EPSS does not tell you whether a vulnerability is exploited; it only claims how likely it is.</li>
<li>EPSS scores are updated daily and will change as new information comes in, so a low-probability vulnerability today may become high probability tomorrow.</li>
</ul>
<p>For more details on how to use CVSS and EPSS for prioritization, see our <a href="https://github.blog/security/application-security/cutting-through-the-noise-how-to-prioritize-dependabot-alerts/">blog</a> on prioritizing Dependabot alerts.</p>
<h2 class="wp-block-heading" id="actionable-data">Actionable data</h2>
<p>The GitHub Advisory DB isn’t just a repository of vulnerabilities. It powers tools that help developers secure their projects. Services like Dependabot use the Advisory DB to:</p>
<ul class="wp-block-list">
<li><strong>Identify vulnerabilities:</strong> It checks if your projects use any software packages with known vulnerabilities.</li>
<li><strong>Suggest fixes:</strong> It recommends updated versions of packages that fix those vulnerabilities when available.</li>
<li><strong>Reduce noise:</strong> You’ll only get notified about vulnerabilities that affect the version of the package you are using.</li>
</ul>
<figure class="wp-block-image size-large"><img data-recalc-dims="1" loading="lazy" decoding="async" height="632" width="1024" src="https://github.blog/wp-content/uploads/2025/06/advisory15.png?resize=1024%2C632" alt="The bar graph shows the number of advisories published with a patch each year next to the number of advisories without a patch. For every year, nearly all of the advisories have a patch." class="wp-image-89160" srcset="https://github.blog/wp-content/uploads/2025/06/advisory15.png?w=1600 1600w, https://github.blog/wp-content/uploads/2025/06/advisory15.png?w=300 300w, https://github.blog/wp-content/uploads/2025/06/advisory15.png?w=768 768w, https://github.blog/wp-content/uploads/2025/06/advisory15.png?w=1024 1024w, https://github.blog/wp-content/uploads/2025/06/advisory15.png?w=1536 1536w, https://github.blog/wp-content/uploads/2025/06/advisory15.png?w=1416 1416w, https://github.blog/wp-content/uploads/2025/06/advisory15.png?w=288 288w" sizes="auto, (max-width: 1000px) 100vw, 1000px" /></figure>
<h2 class="wp-block-heading" id="take-this-with-you">Take this with you</h2>
<p>The GitHub Advisory Database is a powerful resource for tracking open source software vulnerabilities, with over 22,000 reviewed advisories to date. By focusing on popular package registries, GitHub allows you to definitively connect vulnerabilities to the packages you are using. Additional data such as CVSS and EPSS scores help you properly prioritize your mitigation efforts.</p>
<p>GitHub’s role as a CVE Numbering Authority extends beyond the Advisory Database, ensuring that thousands of vulnerabilities each year reach the broader CVE community. Want to ensure your vulnerability fix reaches your users? <a href="https://docs.github.com/en/code-security/security-advisories/working-with-repository-security-advisories/editing-a-repository-security-advisory">Create a GitHub security advisory</a> in your repository to take advantage of both the GitHub Advisory Database and GitHub’s CNA services.</p>
<div class="wp-block-group post-content-cta has-global-padding is-layout-constrained wp-block-group-is-layout-constrained">
<p><strong>Want to dive deeper?</strong> Explore <a href="https://github.blog/security/">security blog posts ></a></p>
</div>
</body></html>
<p>The post <a href="https://github.blog/security/github-advisory-database-by-the-numbers-known-security-vulnerabilities-and-what-you-can-do-about-them/">GitHub Advisory Database by the numbers: Known security vulnerabilities and what you can do about them</a> appeared first on <a href="https://github.blog">The GitHub Blog</a>.</p>
]]></content:encoded>
<post-id xmlns="com-wordpress:feed-additions:1">89136</post-id> </item>
<item>
<title>From pair to peer programmer: Our vision for agentic workflows in GitHub Copilot</title>
<link>https://github.blog/news-insights/product-news/from-pair-to-peer-programmer-our-vision-for-agentic-workflows-in-github-copilot/</link>
<dc:creator><![CDATA[Tim Rogers]]></dc:creator>
<pubDate>Wed, 25 Jun 2025 16:00:00 +0000</pubDate>
<category><![CDATA[News & insights]]></category>
<category><![CDATA[Product]]></category>
<category><![CDATA[agentic AI]]></category>
<category><![CDATA[generative AI]]></category>
<category><![CDATA[GitHub Copilot]]></category>
<guid isPermaLink="false">https://github.blog/?p=88977</guid>
<description><![CDATA[<p>AI agents in GitHub Copilot don’t just assist developers but actively solve problems through multi-step reasoning and execution. Here’s what that means.</p>
<p>The post <a href="https://github.blog/news-insights/product-news/from-pair-to-peer-programmer-our-vision-for-agentic-workflows-in-github-copilot/">From pair to peer programmer: Our vision for agentic workflows in GitHub Copilot</a> appeared first on <a href="https://github.blog">The GitHub Blog</a>.</p>
]]></description>
<content:encoded><![CDATA[<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">
<html><body><p>Software development has always been a deeply human, collaborative process. When we introduced <a href="https://github.com/features/copilot">GitHub Copilot</a> in 2021 as an “<a href="https://github.blog/news-insights/product-news/introducing-github-copilot-ai-pair-programmer/">AI pair programmer</a>,” it was designed to help developers stay in the flow, reduce boilerplate work, and accelerate coding.</p>
<p>But what if Copilot could be more than just an assistant? What if it could actively collaborate with you—working alongside you on synchronous tasks, tackling issues independently, and even reviewing your code?</p>
<p>That’s the future we’re building.</p>
<h2 class="wp-block-heading" id="h-our-vision-for-what-s-next-nbsp">Our vision for what’s next </h2>
<p>Today, AI agents in GitHub Copilot don’t just assist developers but actively solve problems through multi-step reasoning and execution. These agents are capable of:</p>
<ul class="wp-block-list">
<li><strong>Independent problem solving:</strong> Copilot will break down complex tasks and take the necessary steps to solve them, providing updates along the way.</li>
<li><strong>Adaptive collaboration:</strong> Whether working in sync with you or independently in the background, Copilot will iterate on its own outputs to drive progress.</li>
<li><strong>Proactive code quality:</strong> Copilot will proactively assist with tasks like issue resolution, testing, and code reviews, ensuring higher-quality, maintainable code.</li>
</ul>
<p>Rather than fitting neatly into synchronous or asynchronous categories, the future of Copilot lies in its ability to flexibly transition between modes—executing tasks independently while keeping you informed and in control. This evolution will allow you to focus on higher-level decision-making while Copilot takes on more of the execution.</p>
<p>Let’s explore what’s already here—and what’s coming next.</p>
<aside data-color-mode="light" data-dark-theme="dark" data-light-theme="light_dimmed" class="wp-block-group post-aside--large p-4 p-md-6 is-style-light-dimmed has-global-padding is-layout-constrained wp-block-group-is-layout-constrained is-style-light-dimmed--3" style="border-top-width:4px">
<h3 class="wp-block-heading h5-mktg gh-aside-title is-typography-preset-h5" id="h-why-independent-agents-and-why-now" style="margin-top:0">Why independent agents—and why now?</h3>
<p>Modern development isn’t linear. We context switch between features, bug fixes, dependency bumps, and reviews every day. A truly useful AI must:</p>
<ol class="wp-block-list">
<li><strong>Act independently</strong>: plan multi‑step tasks and execute them without hand holding.</li>
<li><strong>Stay transparent</strong>: share its plan and progress, so you can intervene instantly.</li>
<li><strong>Earn trust</strong>: test its own work and explain every change.</li>
</ol>
<p>Copilot’s new <strong>agentic architecture</strong> is designed around these guardrails.</p>
</aside>
<h2 class="wp-block-heading" id="h-copilot-in-action-taking-steps-toward-our-vision-nbsp">Copilot in action: Taking steps toward our vision </h2>
<h3 class="wp-block-heading" id="h-agent-mode-a-real-time-ai-teammate-inside-your-ide">Agent mode: A real-time AI teammate inside your IDE</h3>
<p>If you’ve used <a href="https://github.blog/news-insights/product-news/github-copilot-the-agent-awakens/">agent mode with GitHub Copilot</a> (and you should, because it’s fantastic), you’ve already experienced an independent AI agent at work. </p>
<p>Agent mode lives where you code and feels like handing your computer to a teammate for a minute: it types on your screen while you look on, and can grab the mouse. When you prompt it, the agent takes control, works through the problem, and reports its work back to you with regular check-in points. It can:</p>
<ul class="wp-block-list">
<li><strong>Read your entire workspace</strong> to understand context.</li>
<li><strong>Plan multi‑step fixes or refactors</strong> (and show you the plan first).</li>
<li><strong>Apply changes, run tests, and iterate</strong> in a tight feedback loop.</li>
<li><strong>Ask for guidance</strong> whenever intent is ambiguous.</li>
<li><strong>Run and refine its own work</strong> through an “agentic loop”—planning, applying changes, testing, and iterating.</li>
</ul>
<p>Rather than just responding to requests, Copilot in agent mode actively works toward your goal. You define the outcome, and it determines the best approach—seeking feedback from you as needed, testing its own solutions, and refining its work in real time. </p>
<p>Think of it as pair programming in fast forward: you’re watching the task unfold in real time, free to jump in or redirect at any step. ✨</p>
<figure class="wp-block-embed is-type-video is-provider-youtube wp-block-embed-youtube wp-embed-aspect-16-9 wp-has-aspect-ratio"><div class="wp-block-embed__wrapper">
<iframe loading="lazy" title="GitHub Copilot now supports agent mode" width="500" height="281" src="https://www.youtube.com/embed/Bla9JsYGIRw?feature=oembed" frameborder="0" allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share" referrerpolicy="strict-origin-when-cross-origin" allowfullscreen></iframe>
</div></figure>
<h3 class="wp-block-heading" id="h-coding-agent-an-ai-teammate-that-works-while-you-don-t-nbsp">Coding agent: An AI teammate that works while you don’t </h3>
<p>Not all coding happens in real time. Sometimes, you need to hand off tasks to a teammate and check back later.</p>
<p>That’s where <strong>our coding agent</strong> comes in—and it’s our first step in transforming Copilot into an independent agent. Coding agent spins up its <strong>own secure dev environment</strong> in the cloud. You can assign multiple issues to Copilot, then dive into other work (or grab a cup of coffee!) while it handles the heavy lifting. It can:</p>
<ul class="wp-block-list">
<li><strong>Clone your repo and bootstrap tooling</strong> in isolation.</li>
<li><strong>Break the issue into steps</strong>, implement changes, and write or update tests.</li>
<li><strong>Validate its work </strong>by running your tests and linter.</li>
<li><strong>Open a draft PR</strong> and iterate based on your PR review comments.</li>
<li><strong>Stream progress updates</strong> so you can peek in—or jump in—any time.</li>
</ul>
<p>Working with coding agent is like asking a teammate in another room—with their own laptop and setup—to tackle an issue. You’re free to work on something else, but you can pop in for status or feedback whenever you like.</p>
<figure class="wp-block-video"><video controls poster="https://github.blog/wp-content/uploads/2025/06/Screenshot-2025-06-20-at-12.35.06 PM.png" src="https://github.blog/wp-content/uploads/2025/06/Copilot-Coding-Agent-Overview-v3-Burned.mp4"></video></figure>
<h2 class="wp-block-heading" id="h-less-todo-more-done-the-next-stage-of-copilot-s-agentic-future">Less TODO, more done: The next stage of Copilot’s agentic future</h2>
<p>The next stage of Copilot is being built on three converging pillars:</p>
<ol class="wp-block-list">
<li><strong>Smarter, leaner models.</strong> Ongoing breakthroughs in large language models keep driving accuracy up while pushing latency and cost down. Expanded context windows now span entire monoliths, giving Copilot the long-range “memory” it needs to reason through complex codebases and return answers grounded in your real code.<br></li>
<li><strong>Deeper contextual awareness.</strong> Copilot increasingly understands the full story behind your work—issues, pull-request history, dependency graphs, even private runbooks and API specs (via MCP). By tapping this richer context, it can suggest changes that align with project intent, not just syntax.<br></li>
<li><strong>Open, composable foundation.</strong> We’re designing Copilot to slot into <em>your</em> stack—not the other way around. You choose the editor, models, and tools; Copilot plugs in, learns your patterns, and amplifies them. You’re in the driver’s seat, steering the AI to build, test, and ship code faster than ever.</li>
</ol>
<p>Taken together, these pillars move Copilot beyond a single assistant toward a flexible AI teammate—one that can help any team, from three developers in a garage to thousands in a global enterprise, plan, code, test, and ship with less friction and more speed.</p>
<p>So, get ready for what’s next. The next wave is already on its way. </p>
<div class="wp-block-group post-content-cta has-global-padding is-layout-constrained wp-block-group-is-layout-constrained">
<p><strong>Learn more</strong> about <a href="https://github.com/features/copilot">GitHub Copilot ></a></p>
</div>
</body></html>
<p>The post <a href="https://github.blog/news-insights/product-news/from-pair-to-peer-programmer-our-vision-for-agentic-workflows-in-github-copilot/">From pair to peer programmer: Our vision for agentic workflows in GitHub Copilot</a> appeared first on <a href="https://github.blog">The GitHub Blog</a>.</p>
]]></content:encoded>
<post-id xmlns="com-wordpress:feed-additions:1">88977</post-id> </item>
<item>
<title>Why developer expertise matters more than ever in the age of AI</title>
<link>https://github.blog/developer-skills/career-growth/why-developer-expertise-matters-more-than-ever-in-the-age-of-ai/</link>
<dc:creator><![CDATA[Laura Lindeman]]></dc:creator>
<pubDate>Tue, 24 Jun 2025 17:04:47 +0000</pubDate>
<category><![CDATA[Career growth]]></category>
<category><![CDATA[Developer skills]]></category>
<category><![CDATA[AI]]></category>
<category><![CDATA[productivity]]></category>
<guid isPermaLink="false">https://github.blog/?p=89040</guid>
<description><![CDATA[<p>AI can help you code faster, but knowing why the code works—and sharpening your human-in-the-loop skills—is what makes you a great developer.</p>
<p>The post <a href="https://github.blog/developer-skills/career-growth/why-developer-expertise-matters-more-than-ever-in-the-age-of-ai/">Why developer expertise matters more than ever in the age of AI</a> appeared first on <a href="https://github.blog">The GitHub Blog</a>.</p>
]]></description>
<content:encoded><![CDATA[<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">
<html><body><figure class="wp-block-table"><table class="has-fixed-layout"><tbody><tr><td><em>Editor’s note: This piece was originally published in our LinkedIn newsletter, Branching Out_. </em><a href="https://www.linkedin.com/newsletters/branching-out-6958196028076429312/"><em>Sign up now for more career-focused content > </em></a></td></tr></tbody></table></figure>
<p>AI tools seem to be everywhere. With the tap of a key, they provide ready answers to queries, autocomplete faster than our brains can, and even suggest entire blocks of code. Research has shown that <a href="https://github.com/features/copilot">GitHub Copilot</a> enables developers to <a href="https://github.blog/news-insights/research/research-quantifying-github-copilots-impact-on-developer-productivity-and-happiness/">code up to 55% faster</a>. Junior developers, specifically, <a href="https://mitsloan.mit.edu/ideas-made-to-matter/how-generative-ai-affects-highly-skilled-workers?utm_source=chatgpt.com">may see a 27% to 39% increase in output with AI assistance according to MIT</a>, showing even greater productivity gains from their adoption of AI than more experienced developers. </p>
<p><strong>But here’s the question: you may be coding faster with AI, but when was the last time you asked yourself </strong><strong><em>why</em></strong><strong> before adopting a suggestion from an AI coding assistant? </strong></p>
<p>Being a developer is not just about producing code. It’s about understanding <em>why</em> the code works, how it fits into the bigger picture, and what happens when things break down. The best developers know how to think critically about new problems and take a systems view of solving them. That kind of expertise is what keeps software resilient, scalable, and secure, especially as AI accelerates how quickly we ship. Without it, we risk building faster but breaking more.</p>
<p><a href="https://timesofindia.indiatimes.com/technology/tech-news/github-ceo-thomas-dohmke-to-startups-your-companies-would-struggle-without-developers-as-ai-coding-assistants-can-only-/articleshow/121844990.cms?utm_source=chatgpt.com">Our CEO, Thomas Dohmke, put it bluntly at VivaTech</a>: “Startups can launch with AI‑generated code, but they can’t scale without experienced developers.” Developer expertise is the multiplier on AI, not the bottleneck.</p>
<p>We’re not saying you have to reject AI to be a great developer. At GitHub, we believe AI is a superpower, one that helps you move faster and build better when used thoughtfully. Your role as a developer in the age of AI is to be the human-in-the-loop: the person who knows why code works, why it sometimes doesn’t, what the key requirements in your environment are, and how to debug, guide AI tools, and go beyond vibe coding. </p>
<p>After all, AI can help you write code a lot faster, but only developer expertise turns that speed into resilient, scalable, and secure software.</p>
<figure class="wp-block-table"><table class="has-fixed-layout"><tbody><tr><td><strong>TL;DR:</strong> AI pair‑programming makes you faster, but it can’t replace the judgment that keeps software safe and maintainable. This article offers three concrete ways to level‑up your expertises.</td></tr></tbody></table></figure>
<h2 class="wp-block-heading" id="h-ai-s-productivity-dividend-developer-experience-greater-impact">AI’s productivity dividend + developer experience = greater impact</h2>
<figure class="wp-block-table"><table class="has-fixed-layout"><thead><tr><th><strong>Benefit</strong></th><th><strong>How human judgment multiplies the value</strong></th></tr></thead><tbody><tr><td>⏱️ Faster commits (up to 55 % quicker task completion)</td><td>Devs run thoughtful code reviews, write tests, and surface edge cases so speed never comes at the cost of quality.</td></tr><tr><td>🧠 Lower cognitive load</td><td>Freed-up mental bandwidth lets developers design better architectures, mentor teammates, and solve higher-order problems.</td></tr><tr><td>🌱 Easier onboarding for juniors</td><td>Senior engineers provide context, establish standards, and turn AI suggestions into teachable moments building long-term expertise.</td></tr><tr><td>🤖 Automated boilerplate</td><td>Devs tailor scaffolding to real project needs, question assumptions, and refactor early to keep tech-debt in check and systems secure.</td></tr></tbody></table></figure>
<p>Speed without judgment can mean:</p>
<ul class="wp-block-list">
<li>Security vulnerabilities that static analysis can’t spot on its own.</li>
<li>Architecture choices that don’t scale beyond the demo.</li>
<li>Documentation drift that leaves humans and models guessing.</li>
</ul>
<p>The remedy? Double down on the fundamentals that AI still can’t master.</p>
<h2 class="wp-block-heading" id="h-mastering-the-fundamentals-3-key-parts-of-your-workflow-to-focus-on-when-using-ai">Mastering the fundamentals: 3 key parts of your workflow to focus on when using AI</h2>
<p>As the home for all developers, we’ve seen it again and again: becoming AI-savvy starts with the old-school basics. You know, the classic tools and features you used before AI became a thing (we know, it’s hard to remember such a time!). We believe that only by mastering the fundamentals can you get the most value, at scale, out of AI developer tools like GitHub Copilot. </p>
<p>A junior developer who jumps into their first AI-assisted project without having a foundational understanding of the basics (like pull requests, code reviews, and documentation) may ship fast, but without context or structure, they risk introducing bugs, missing edge cases, or confusing collaborators. That’s not an AI problem. It’s a fundamentals problem.</p>
<p>Let’s revisit the core skills every developer should bring to the table, AI or not. With the help of a few of our experts, we’ll show you how to level them up so you can dominate in the age of AI.</p>
<h3 class="wp-block-heading" id="h-1-push-for-excellence-in-the-pull-request">1. Push for excellence in the pull request</h3>
<p>At the heart of developer collaboration, pull requests are about clearly communicating your intent, explaining your reasoning, and making it easier for others (humans and AI alike!) to engage with your work.</p>
<p>A well‑scoped PR communicates <em>why</em> a change exists—not just <em>what</em> changed. That context feeds human reviewers and Copilot alike.</p>
<p>As GitHub developer advocate <a href="https://github.com/ladykerr">Kedasha Kerr</a> advises, start by keeping your pull requests small and focused. A tight, purposeful pull request is easier to review, less likely to introduce bugs, and faster to merge. It also gives your reviewers, as well as AI tools like Copilot, a clean scope to work with.</p>
<p>Your pull request description is where clarity counts. Don’t just list what changed—explain <em>why</em> it changed. Include links to related issues, conversations, or tracking tickets to give your teammates the full picture. If your changes span multiple files, suggest where to start reviewing. And be explicit about what kind of feedback you’re looking for: a quick sanity check? A deep dive? Let your reviewers know.</p>
<p>Before you ask for a review, review it yourself. Kedasha recommends running your tests, previewing your changes, and catching anything unclear or unpolished. This not only respects your reviewers’ time, it improves the quality of your code and deepens your understanding of the work.</p>
<p>A thoughtful pull request is a signal of craftsmanship. It builds trust with your team, strengthens your communication skills, and gives Copilot better context to support you going forward. That’s a win for you, your team, and your future self.</p>
<p><strong>Here’s a quick 5‑item PR checklist to reference as you work: </strong></p>
<ol class="wp-block-list">
<li><strong>Scope ≤ 300 lines</strong> (or break it up).</li>
<li><strong>Title = verb + object</strong> (e.g., <em>Refactor auth middleware to async</em>).</li>
<li><strong>Description answers “why now?”</strong> and links to the issue.</li>
<li><strong>Highlight breaking changes</strong> with ⚠️ BREAKING in bold.</li>
<li><strong>Request specific feedback</strong> (e.g., <em>Concurrency strategy OK?</em>).</li>
</ol>
<p>Drop this snippet into <strong><code>.github/pull_request_template.md</code></strong> and merge.</p>
<p><a href="https://github.blog/developer-skills/github/beginners-guide-to-github-creating-a-pull-request/"><em>Learn more about creating a great pull request ></em></a><em> </em></p>
<h3 class="wp-block-heading" id="h-2-rev-up-your-code-reviews">2. Rev up your code reviews</h3>
<p>AI can generate code in seconds, but knowing how to review that code is where real expertise develops. Every pull request is a conversation: “I believe this improves the codebase, do you agree?” As GitHub staff engineer <a href="https://github.com/cheshire137">Sarah Vessels</a> explains, good code reviews don’t just catch bugs; they teach, transfer knowledge, and help teams move faster with fewer costly mistakes.</p>
<p>And let’s be honest: as developers, we often read and review far more code than we actually write (and that’s ok!). No matter if code comes from a colleague or an AI tool, code reviews are a fundamental part of being a developer—and building a strong code review practice is critical, especially as the volume of code increases. </p>
<p>You should start by reviewing your own pull requests before assigning them to others. Leave comments where you’d have questions as a reviewer. This not only helps you spot problems early, but also provides helpful context for your teammates. Keep pull requests small and focused. The smaller the diff, the easier it is to review, debug, and even roll back if something breaks in production. In DevOps organizations, especially large ones, small, frequent commits also help reduce merge conflicts and keep deployment pipelines flowing smoothly. </p>
<p>As a reviewer, focus on clarity. Ask questions, challenge assumptions, and check how code handles edge cases or unexpected data. If you see a better solution, offer a specific example rather than just saying “this could be better.” Affirm good choices too: calling out strong design decisions helps reinforce shared standards and makes the review process less draining for authors.</p>
<p>Code reviews give you daily reps to build technical judgement, deepen your understanding of the codebase, and earn trust with your team. In an AI-powered world, they’re also a key way to level up by helping you slow down, ask the right questions, and spot patterns AI might miss.</p>
<p><strong>Here are some heuristics to keep in mind when reviewing code:</strong></p>
<ul class="wp-block-list">
<li><strong>Read the tests first</strong>. They encode intent.</li>
<li><strong>Trace data flow</strong> for user input to DB writes to external calls.</li>
<li><strong>Look for hidden state</strong> in globals, singletons, and caches.</li>
<li><strong>Ask “What happens under load?”</strong> even if performance isn’t in scope.</li>
<li><strong>Celebrate good patterns</strong> to reinforce team standards.</li>
</ul>
<p><a href="https://github.blog/developer-skills/github/how-to-review-code-effectively-a-github-staff-engineers-philosophy/"><em>Learn more about how to review code effectively ></em></a></p>
<h3 class="wp-block-heading" id="h-3-invest-in-documentation">3. Invest in documentation </h3>
<p>Strong pull requests and code reviews help your team build better software today. But documentation makes it easier to build better software tomorrow. In the AI era, where code can be generated in seconds, clear, thorough documentation remains one of the most valuable—and overlooked—skills a developer can master.</p>
<p>Good documentation helps everyone stay aligned: your team, new contributors, stakeholders, and yes, even AI coding agents (docs make great context for any AI model, after all). The clearer your docs, the more effective AI tools like Copilot can be when generating code, tests, or summaries that rely on understanding your project’s structure. As GitHub’s software engineer <a href="https://github.com/brittanyellich">Brittany Ellich</a> and technical writer <a href="https://github.com/sabrowning1">Sam Browning</a> explain, well-structured docs accelerate onboarding, increase adoption, and make collaboration smoother by reducing back and forth.</p>
<p>The key is to keep your documentation clear, concise, and structured. Use plain language, focus on the information people actually need, and avoid overwhelming readers with too many edge cases or unnecessary details. Organize your docs with the <a href="https://diataxis.fr/">Diátaxis framework</a>, which breaks documentation into four categories:</p>
<ul class="wp-block-list">
<li>Tutorials for hands-on learning with step-by-step guides</li>
<li>How-to guides for task-oriented steps with bulleted or numbered list</li>
<li>Explanations for deeper understanding</li>
<li>Reference for technical specs such as API specs</li>
</ul>
<p>When your docs follow a clear structure, contributors know exactly where to find what they need and where to add new information as your project evolves.</p>
<p>In short: great documentation forces you to sharpen your own understanding of the system you’re building. That kind of clarity compounds over time and is exactly the kind of critical thinking that makes you a stronger developer.</p>
<p><a href="https://github.blog/developer-skills/documentation-done-right-a-developers-guide/"><em>Learn more about how to document your project effectively ></em></a></p>
<h3 class="wp-block-heading" id="h-a-level-up-dev-toolkit">A level‑up dev toolkit</h3>
<p>To make things simple, here’s a skills progression matrix to keep in mind no matter what level you’re at. </p>
<figure class="wp-block-table"><table class="has-fixed-layout"><thead><tr><th><strong>Skill</strong></th><th><strong>Junior</strong></th><th><strong>Mid‑level</strong></th><th><strong>Senior</strong></th></tr></thead><tbody><tr><td>Pull requests</td><td>Describes <em>what</em> changed</td><td>Explains <em>why</em> and links issues</td><td>Anticipates perf/security impact & suggests review focus</td></tr><tr><td>Code reviews</td><td>Leaves 👍/👎</td><td>Gives actionable comments</td><td>Mentors, models architecture trade‑offs</td></tr><tr><td>Documentation</td><td>Updates README</td><td>Writes task‑oriented guides</td><td>Curates docs as a product with metrics</td></tr></tbody></table></figure>
<p><strong>And here are some quick‑wins you can copy today:</strong></p>
<ul class="wp-block-list">
<li><code>.github/CODEOWNERS</code> to auto‑route reviews</li>
<li>PR and issue templates for consistent context</li>
<li>GitHub Skills course: <a href="https://github.com/skills/communicate-using-markdown">Communicating with Markdown</a></li>
</ul>
<h2 class="wp-block-heading" id="h-the-bottom-line">The bottom line</h2>
<p>In the end, AI is changing how we write code, and curiosity, judgment, and critical thinking are needed more than ever. The best developers don’t just accept what AI suggests. They ask why. They provide context. They understand the fundamentals. They think in systems, write with intention, and build with care. </p>
<p>So keep asking why. Stay curious. Continue learning. That’s what sets great developers apart—and it’s how you’ll survive and thrive in an AI-powered future.</p>
<div class="wp-block-group post-content-cta has-global-padding is-layout-constrained wp-block-group-is-layout-constrained">
<p><strong>Want to get started?</strong> <a href="https://github.com/features/copilot/?utm_source=newsletter&utm_medium=social&utm_campaign=copilot_free_launch">Explore GitHub Copilot ></a></p>
</div>
</body></html>
<p>The post <a href="https://github.blog/developer-skills/career-growth/why-developer-expertise-matters-more-than-ever-in-the-age-of-ai/">Why developer expertise matters more than ever in the age of AI</a> appeared first on <a href="https://github.blog">The GitHub Blog</a>.</p>
]]></content:encoded>
<post-id xmlns="com-wordpress:feed-additions:1">89040</post-id> </item>
<item>
<title>GitHub Copilot Spaces: Bring the right context to every suggestion</title>
<link>https://github.blog/ai-and-ml/github-copilot/github-copilot-spaces-bring-the-right-context-to-every-suggestion/</link>
<dc:creator><![CDATA[Andrea Griffiths]]></dc:creator>
<pubDate>Wed, 18 Jun 2025 16:00:00 +0000</pubDate>
<category><![CDATA[AI & ML]]></category>
<category><![CDATA[GitHub Copilot]]></category>
<category><![CDATA[GitHub Copilot Spaces]]></category>
<guid isPermaLink="false">https://github.blog/?p=88913</guid>
<description><![CDATA[<p>Learn how to build your first space in minutes and customize Copilot to match your team's unique coding style and workflows.</p>
<p>The post <a href="https://github.blog/ai-and-ml/github-copilot/github-copilot-spaces-bring-the-right-context-to-every-suggestion/">GitHub Copilot Spaces: Bring the right context to every suggestion</a> appeared first on <a href="https://github.blog">The GitHub Blog</a>.</p>
]]></description>
<content:encoded><![CDATA[<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">
<html><body><p>When generative AI tools guess what you need, the magic only lasts as long as the guesses are right. Add an unfamiliar codebase, a security checklist your team keeps in a wiki, or a one‑off Slack thread that explains <em>why</em> something matters, and even the most and even the most powerful model may fill in gaps with assumptions rather than having access to your specific context and knowledge.</p>
<p><a href="https://docs.github.com/en/copilot/using-github-copilot/copilot-spaces/creating-and-using-copilot-spaces">GitHub Copilot Spaces</a> fixes that problem by letting you <strong>bundle the exact context Copilot should read</strong>—code, docs, transcripts, sample queries, you name it—into a reusable “space.” Once a space is created on github.com, Copilot chat and command interactions on the GitHub platform are grounded in that curated knowledge, producing answers that feel like they came from your organization’s resident expert. In the future, IDE integration for Spaces is planned.</p>
<p>In this article, we’ll walk through:</p>
<ul class="wp-block-list">
<li>A 5‑minute quick‑start guide to creating your first space</li>
<li>Tips for personalizing Copilot’s tone, style, and conventions with custom instructions</li>
<li>Real‑world recipes for accessibility, data queries, and onboarding</li>
<li>Collaboration, security, and what’s next on the roadmap (spoiler: IDE integration and Issues/PR support)</li>
</ul>
<aside data-color-mode="light" data-dark-theme="dark" data-light-theme="light_dimmed" class="wp-block-group post-aside--large p-4 p-md-6 is-style-light-dimmed has-global-padding is-layout-constrained wp-block-group-is-layout-constrained is-style-light-dimmed--4" style="border-top-width:4px">
<h3 class="wp-block-heading h5-mktg gh-aside-title is-typography-preset-h5" id="h-want-to-learn-more-try-our-docs-nbsp" style="margin-top:0">Want to learn more? Try our Docs. </h3>
<p>We have everything you need to get started—including pro tips on the context that’s most helpful in your workflows.</p>
<p><a href="https://docs.github.com/en/copilot/using-github-copilot/copilot-spaces/about-organizing-and-sharing-context-with-copilot-spaces">Explore Docs ></a></p>
</aside>
<h2 class="wp-block-heading" id="h-why-context-is-the-new-bottleneck-for-ai-assisted-development">Why context is the new bottleneck for AI‑assisted development</h2>
<p>Large language models (LLMs) thrive on patterns, but day‑to‑day engineering work is full of <em>un</em>patterned edge cases, including:</p>
<ul class="wp-block-list">
<li>A monorepo that mixes modern React with legacy jQuery</li>
<li>Organizational wisdom buried in Slack threads or internal wikis</li>
<li>Organization‑specific security guidelines that differ from upstream OSS docs</li>
</ul>
<p>Without that context, an AI assistant can only guess. But with Copilot Spaces, you choose which files, documents, or free‑text snippets matter, drop them into a space, and let Copilot use that context to answer questions or write code. As Kelly Henckel, PM for GitHub Spaces, said in our <a href="https://www.youtube.com/watch?v=a0LWEWLUt48">GitHub Checkout</a> episode, “Spaces make it easy to organize and share context, so Copilot acts like a subject matter expert.” The result? Fewer wrong guesses, less copy-pasting, and code that’s commit-ready.</p>
<h2 class="wp-block-heading" id="h-what-exactly-is-a-copilot-space">What exactly <em>is</em> a Copilot Space?</h2>
<p>Think of a space as a secure, shareable <strong>container of knowledge</strong> plus <strong>behavioral instructions</strong>:</p>
<figure class="wp-block-table"><table class="has-fixed-layout"><thead><tr><th></th><th><strong>What it holds</strong></th><th><strong>Why it matters</strong></th></tr></thead><tbody><tr><td>Attachments</td><td>Code files, entire folders, Markdown docs, transcripts, or any plain text you add</td><td>Gives Copilot the ground truth for answers</td></tr><tr><td>Custom instructions</td><td>Short system prompts to set tone, coding style, or reviewer expectations</td><td>Lets Copilot match your house rules</td></tr><tr><td>Sharing & permissions</td><td>Follows the same role/visibility model you already use on GitHub</td><td>No new access control lists to manage</td></tr><tr><td>Live updates</td><td>Files stay in sync with the branch you referenced</td><td>Your space stays up to date with your codebase</td></tr></tbody></table></figure>
<p><br>Spaces are available to <strong>anyone with a Copilot license (Free, Individual, Business, or Enterprise)</strong> while the feature is in public preview. Admins can enable it under <strong>Settings  > Copilot > Preview features</strong>.</p>
<p><strong>TL;DR</strong>: A space is like pinning your team’s <em>collective brain</em> to the Copilot sidebar and letting everyone query it in plain language.</p>
<h2 class="wp-block-heading" id="h-quick-start-guide-how-to-build-your-first-space-in-5-minutes">Quick-start guide: How to build your first space in 5 minutes</h2>
<ol class="wp-block-list">
<li><strong>Navigate </strong>to <a href="https://github.com/copilot/spaces">github.com/copilot/spaces</a> and click <strong>Create space</strong>.</li>
<li><strong>Name it clearly</strong>. For example, <code>frontend‑styleguide</code>.</li>
<li><strong>Add a description</strong> so teammates know when—<em>and when not</em>—to use it.</li>
<li><strong>Attach context</strong>:</li>
</ol>
<ul class="wp-block-list">
<li>From repos: Pull in folders like <code>src/components</code> or individual files such as <code>eslint.config.js</code>.</li>
<li>Free‑text hack: Paste a Slack thread, video transcript, onboarding checklist, or even a JSON schema into the <em>Text</em> tab. Copilot treats it like any other attachment.</li>
</ul>
<ol start="5" class="wp-block-list">
<li><strong>Write custom instructions</strong>. A sentence or two is enough:</li>
</ol>
<ul class="wp-block-list">
<li>“Respond as a senior React reviewer. Enforce our ESLint rules and tailwind class naming conventions.”</li>
</ul>
<ol start="6" class="wp-block-list">
<li><strong>Save and test it</strong>. You’re done. Ask Copilot a question in the Space chat—e.g., “Refactor this <code><Button></code> component to match our accessibility checklist”—and watch it cite files you just attached.</li>
</ol>
<aside data-color-mode="light" data-dark-theme="dark" data-light-theme="light_dimmed" class="wp-block-group post-aside--large p-4 p-md-6 is-style-light-dimmed has-global-padding is-layout-constrained wp-block-group-is-layout-constrained is-style-light-dimmed--5" style="border-top-width:4px">
<h3 class="wp-block-heading h5-mktg gh-aside-title is-typography-preset-h5" id="h-pro-tip-keep-spaces-focused" style="margin-top:0">Pro tip: Keep spaces focused</h3>
<p>Instead of dumping your entire repo into one space, create smaller, purpose‑built spaces like: <em>Accessibility</em>, <em>Data‑Queries</em>, <em>Auth‑Model</em>, etc. Kelly, the PM behind the feature, uses this pattern internally at GitHub to make subject‑matter expertise reusable. </p>
</aside>
<h2 class="wp-block-heading" id="h-personalize-copilot-s-coding-style-and-voice-too-nbsp">Personalize Copilot’s coding style (and voice, too) </h2>
<p>Custom instructions are the “personality layer” of a space and where spaces shine because they live <em>alongside</em> the attachments. This allows you to do powerful things with a single sentence, including:</p>
<ul class="wp-block-list">
<li><strong>Enforce conventions</strong>
<ul class="wp-block-list">
<li> “Always prefer Vue 3 <code>script setup</code> syntax and Composition API for examples.”</li>
</ul>
</li>
<li><strong>Adopt a team tone</strong>
<ul class="wp-block-list">
<li>“Answer concisely. Include a one‑line summary before code blocks.”</li>
</ul>
</li>
<li><strong>Teach Copilot project‑specific vocabulary</strong>
<ul class="wp-block-list">
<li> “Call it ‘scenario ID’ (SCID), not test case ID.”</li>
</ul>
</li>
</ul>
<p>During the GitHub Checkout interview, Kelly shared how she built a personal space for a nonprofit side project: She attached only the Vue front‑end folder <em>plus</em> instructions on her preferred conventions, and Copilot delivered commit‑ready code snippets that matched her style guide on the first try.</p>
<h2 class="wp-block-heading" id="h-automate-your-workflow-three-real-world-recipes">Automate your workflow: three real‑world recipes</h2>
<h3 class="wp-block-heading" id="h-1-accessibility-compliance-assistant">1. Accessibility compliance assistant</h3>
<p><em>Space ingredients</em></p>
<ul class="wp-block-list">
<li>Markdown docs on WCAG criteria and GitHub’s internal “Definition of Done”</li>
<li>Custom instruction: “When answering, cite the doc section and provide a code diff if changes are required.”</li>
</ul>
<p><strong>How it helps</strong>: Instead of pinging the accessibility lead on Slack, you can use Spaces to ask questions like “What steps are needed for MAS‑C compliance on this new modal?” Copilot summarizes the relevant checkpoints, references the doc anchor, and even suggests ARIA attributes or color‑contrast fixes. GitHub’s own accessibility SME, Katherine, pinned this space in Slack so anyone filing a review gets instant, self‑service guidance.</p>
<h3 class="wp-block-heading" id="h-2-data-query-helper-for-complex-schemas">2. Data‑query helper for complex schemas</h3>
<p><em>Space ingredients</em></p>
<ul class="wp-block-list">
<li>YAML schema files for 40+ event tables</li>
<li>Example KQL snippets saved as <code>.sql</code> files</li>
<li>Instruction: “Generate KQL only, no prose explanations unless asked.”</li>
</ul>
<p><strong>How it helps: </strong>Product managers and support engineers who <em>don’t</em> know your database structures can ask, “Average PR review time last 7 days?” Copilot autocompletes a valid KQL query with correct joins and lets them iterate. Result: lets PMs and support self-serve without bugging data science teams.</p>
<h3 class="wp-block-heading" id="h-3-onboarding-hub-and-knowledge-base-in-one-link">3. Onboarding Hub and knowledge base in one link</h3>
<p><em>Space ingredients</em></p>
<ul class="wp-block-list">
<li>Key architecture diagrams exported as SVG text</li>
<li>ADRs and design docs from multiple repos</li>
<li>Custom instruction: “Answer like a mentor during onboarding; link to deeper docs.”</li>
</ul>
<p><strong>How it helps: </strong>New hires type “How does our auth flow handle SAML?” and get a structured answer with links and diagrams, all without leaving GitHub. Because spaces stay in sync with <code>main</code>, updates to ADRs propagate automatically—no stale wikis.</p>
<h2 class="wp-block-heading" id="h-collaboration-that-feels-native-to-github">Collaboration that feels native to GitHub</h2>
<p>Spaces respect the same permission model you already use:</p>
<ul class="wp-block-list">
<li><strong>Personal spaces</strong>: visible only to you unless shared</li>
<li><strong>Organization‑owned spaces</strong>: use repo or team permissions to gate access</li>
<li><strong>Read‑only vs. edit‑capable</strong>: let SMEs maintain the canon while everyone else consumes</li>
</ul>
<p>Sharing is as simple as sending the space URL or pinning it to a repo README. Anyone with access and a Copilot license can start chatting instantly.</p>
<h2 class="wp-block-heading" id="h-what-s-next-for-copilot-spaces">What’s next for Copilot Spaces?</h2>
<p>We’re working to bring Copilot Spaces to more of your workflows, and are currently developing:</p>
<ul class="wp-block-list">
<li><strong>Issues and PR attachments</strong> to bring inline discussions and review notes into the same context bundle.</li>
<li><strong>IDE Integration</strong>: Query Spaces in VS Code for tasks like writing tests to match your team’s patterns.</li>
<li><strong>Org‑wide discoverability</strong> to help you browse spaces like you browse repos today, so new engineers can search “Payments SME” and start chatting.</li>
</ul>
<p>Your feedback will shape those priorities. <a href="https://github.com/orgs/community/discussions/160840?utm_source=chatgpt.com">Drop your ideas or pain points in the public discussion</a> or, if you’re an enterprise customer, through your account team. </p>
<h2 class="wp-block-heading" id="h-get-started-today">Get started today</h2>
<p>Head to <strong>github.com/copilot/spaces</strong>, spin up your first space, and let us know how it streamlines your workflow. Here’s how to get it fully set up on your end: </p>
<ol class="wp-block-list">
<li><strong>Flip the preview toggle</strong>: <em>Settings > Copilot  >  Preview features > Enable Copilot Spaces.</em></li>
<li><strong>Create one small, high‑impact space</strong>—maybe your team’s code‑review checklist or a set of common data queries.</li>
<li><strong>Share the link</strong> in Slack or a README and watch the pings to subject‑matter experts drop.</li>
<li><strong>Iterate</strong>: prune unused attachments, refine instructions, or split a giant space into smaller ones.</li>
</ol>
<p>Copilot Spaces is free during the public preview and doesn’t count against your Copilot seat entitlements when you use the base model. We can’t wait to see what you build when Copilot has the <em>right</em> context at its fingertips.</p>
</body></html>
<p>The post <a href="https://github.blog/ai-and-ml/github-copilot/github-copilot-spaces-bring-the-right-context-to-every-suggestion/">GitHub Copilot Spaces: Bring the right context to every suggestion</a> appeared first on <a href="https://github.blog">The GitHub Blog</a>.</p>
]]></content:encoded>
<post-id xmlns="com-wordpress:feed-additions:1">88913</post-id> </item>
<item>
<title>5 tips for using GitHub Copilot with issues to boost your productivity</title>
<link>https://github.blog/ai-and-ml/github-copilot/5-tips-for-using-github-copilot-with-issues-to-boost-your-productivity/</link>
<dc:creator><![CDATA[Klint Finley]]></dc:creator>
<pubDate>Tue, 17 Jun 2025 16:00:00 +0000</pubDate>
<category><![CDATA[AI & ML]]></category>
<category><![CDATA[GitHub Copilot]]></category>
<category><![CDATA[generative AI]]></category>
<category><![CDATA[GitHub Issues]]></category>
<guid isPermaLink="false">https://github.blog/?p=88879</guid>
<description><![CDATA[<p>Reduce context-switching, minimize manual work, and accelerate resolution times with these new AI-powered features.</p>
<p>The post <a href="https://github.blog/ai-and-ml/github-copilot/5-tips-for-using-github-copilot-with-issues-to-boost-your-productivity/">5 tips for using GitHub Copilot with issues to boost your productivity</a> appeared first on <a href="https://github.blog">The GitHub Blog</a>.</p>
]]></description>
<content:encoded><![CDATA[<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">
<html><body><p>Managing issues in software development can be tedious and time-consuming. But what if your AI peer programmer could streamline this process for you? <a href="https://github.com/features/copilot">GitHub Copilot</a>‘s latest issue management features can help developers create, organize, and even solve issues. Below, we’ll dig into these features and how they can save time, reduce friction, and maintain consistency across your projects.</p>
<figure class="wp-block-video"><video controls poster="https://github.blog/wp-content/uploads/2025/06/Screenshot-2025-06-16-at-3.31.56 PM.png" src="https://github.blog/wp-content/uploads/2025/06/Copilot-creates-issues-final-1.mp4"></video></figure>
<h2 class="wp-block-heading" id="h-1-image-to-issue-turn-screenshots-into-instant-bug-reports">1. Image to issue: Turn screenshots into instant bug reports</h2>
<p>Writing detailed bug reports is often repetitive and frustrating, leading to inconsistent documentation. Copilot’s image to issue feature significantly reduces this friction.</p>
<p>Simply paste a screenshot of the bug into Copilot chat with a brief description prompt Copilot to create an issue for you, then Copilot will analyze the image and generate a comprehensive bug report for you. No more struggling to describe visual glitches or UI problems—the image will speak for itself, and Copilot will handle the documentation.</p>
<p>For example, if you encounter a UI alignment issue or a visual glitch that’s hard to describe, just capture a screenshot, paste it into Copilot, and briefly mention the problem. In the animation above, the user’s prompt was “create me a bug issue because markdown tables are not rendering properly in the comments.” Copilot then automatically drafted a report, including steps to reproduce the bug.</p>
<p>To get the most out of this feature, consider annotating your screenshots clearly—highlighting or circling the problematic area—to help Copilot generate even more precise issue descriptions.</p>
<p><a href="https://docs.github.com/en/copilot/using-github-copilot/using-github-copilot-to-create-issues">Dive into the documentation to learn more</a>.</p>
<h2 class="wp-block-heading" id="h-2-get-the-details-right-templates-tags-and-types">2. Get the details right: Templates, tags, and types</h2>
<p>Projects quickly become disorganized when team members skip adding proper metadata. Incorrect templates, missing labels, or wrong issue types make tracking and prioritization difficult.</p>
<p>Copilot solves this by automatically inferring the best template based on your prompt. It also adds appropriate labels and issue types without requiring you to navigate multiple dropdown menus or memorize tagging conventions.</p>
<p>Need something specific? Simply ask Copilot to add particular labels or switch templates. If you change templates after drafting, Copilot will automatically reformat your content—no manual copying required.</p>
<h2 class="wp-block-heading" id="h-3-stay-organized-with-versioning-and-milestones">3. Stay organized with versioning and milestones</h2>
<p>Keeping issues updated and properly categorized is crucial for clear communication, maintaining project velocity, and ensuring visibility into progress. But with so much else to do, it’s easy to let this work fall by the wayside.</p>
<p>With Copilot, adding projects and milestones is as simple as typing a prompt. You can also specify exactly how you want issues organized. For example, ask Copilot to use the “Bug Report” or “Feature Request” template, add labels like <code>priority: high</code>, <code>frontend</code>, or <code>needs-triage</code>, or set the issue type to “Task” or “Epic.” Copilot will apply these details automatically, ensuring your issues are consistently categorized.</p>
<p>Additionally, Copilot tracks all changes, making them easily referenceable. You can review issue history and revert changes if needed, ensuring nothing important gets lost.</p>
<h2 class="wp-block-heading" id="h-4-batch-create-multiple-issues-at-once">4. Batch create multiple issues at once</h2>
<p>Sometimes you need to log several issues after a customer meeting, user testing session, or bug bash. Traditionally, this means repeating the same creation process multiple times.</p>
<p>Copilot supports multi-issue drafting, allowing you to create multiple issues in a single conversation. Whether logging feature requests or documenting bugs, batch creation saves significant time.</p>
<p>Simply prompt Copilot to create the issues, describe each one, and Copilot will draft them all. For example, you could give the following prompt to create two issues at once:</p>
<pre class="wp-block-code language-plaintext"><code>Create me issues for the following features:
- Line breaks ignored in rendered Markdown despite double-space
- Bold and italic Markdown styles not applied when combined</code></pre>
<p>You will still need to review and finalize each one, but the drafting process is streamlined into a single workflow.</p>
<h2 class="wp-block-heading" id="h-5-let-ai-help-fix-your-bugs-with-copilot-coding-agent">5. Let AI help fix your bugs with Copilot coding agent</h2>
<p><a href="https://github.blog/developer-skills/github/how-to-create-issues-and-pull-requests-in-record-time-on-github/">Creating issues</a> is only half the battle—fixing them is where the real work begins. You can now <a href="https://github.blog/ai-and-ml/github-copilot/assigning-and-completing-issues-with-coding-agent-in-github-copilot/">assign issues</a> directly to Copilot. Just ask <a href="https://docs.github.com/en/copilot/using-github-copilot/coding-agent/enabling-copilot-coding-agent">Copilot coding agent</a> to take ownership of the issue, and your AI coding assistant will start analyzing the bug. Copilot can even suggest draft pull requests with potential fixes.</p>
<p>This seamless handoff reduces context-switching and accelerates resolution times, allowing your team to focus on more complex challenges.</p>
<h2 class="wp-block-heading" id="h-beyond-copilot-issues-enhancements-on-github">Beyond Copilot: Issues enhancements on GitHub</h2>
<p>While Copilot is already revolutionizing issue management, we at GitHub are always looking for ways to enhance the overall issues experience. For example, you can now:</p>
<ul class="wp-block-list">
<li>Standardize <a href="https://docs.github.com/en/issues/tracking-your-work-with-issues/configuring-issues/managing-issue-types-in-an-organization">issue types</a> across repositories for consistent tracking and reporting.</li>
<li>Break down complex tasks into <a href="https://docs.github.com/en/issues/tracking-your-work-with-issues/using-issues/adding-sub-issues">sub-issues</a> for better progress management.</li>
<li>Use <a href="https://docs.github.com/en/issues/tracking-your-work-with-issues/using-issues/filtering-and-searching-issues-and-pull-requests#building-advanced-filters-for-issues">advanced search</a> capabilities with logical operators to quickly find exactly what you need.</li>
<li>Manage larger projects with expanded limits supporting up to 50,000 items.</li>
</ul>
<h2 class="wp-block-heading" id="h-kickstart-enhanced-issue-management-today">Kickstart enhanced issue management today</h2>
<p>Ready to transform your issue management workflow with GitHub Copilot? Head to <a href="https://github.com/copilot">github.com/copilot</a> and try prompts like:</p>
<ul class="wp-block-list">
<li>“Create me an issue for…”</li>
<li>“Log a bug for…”</li>
<li>Or simply upload a screenshot and mention you want to file a bug.</li>
</ul>
<p>Experience firsthand how Copilot makes issue management feel less like administrative overhead and more like a conversation with your AI pair programmer.</p>
<div class="wp-block-group post-content-cta has-global-padding is-layout-constrained wp-block-group-is-layout-constrained">
<p><strong>Learn more</strong> about <a href="https://docs.github.com/en/copilot/using-github-copilot/using-github-copilot-to-create-issues">creating issues with Copilot ></a></p>
</div>
</body></html>
<p>The post <a href="https://github.blog/ai-and-ml/github-copilot/5-tips-for-using-github-copilot-with-issues-to-boost-your-productivity/">5 tips for using GitHub Copilot with issues to boost your productivity</a> appeared first on <a href="https://github.blog">The GitHub Blog</a>.</p>
]]></content:encoded>
<post-id xmlns="com-wordpress:feed-additions:1">88879</post-id> </item>
<item>
<title>Highlights from Git 2.50</title>
<link>https://github.blog/open-source/git/highlights-from-git-2-50/</link>
<dc:creator><![CDATA[Taylor Blau]]></dc:creator>
<pubDate>Mon, 16 Jun 2025 17:12:27 +0000</pubDate>
<category><![CDATA[Git]]></category>
<category><![CDATA[Open Source]]></category>
<guid isPermaLink="false">https://github.blog/?p=88787</guid>
<description><![CDATA[<p>The open source Git project just released Git 2.50. Here is GitHub’s look at some of the most interesting features and changes introduced since last time.</p>
<p>The post <a href="https://github.blog/open-source/git/highlights-from-git-2-50/">Highlights from Git 2.50</a> appeared first on <a href="https://github.blog">The GitHub Blog</a>.</p>
]]></description>
<content:encoded><![CDATA[<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">
<html><body><p>The open source Git project just <a href="https://lore.kernel.org/git/xmqq1prj1umb.fsf@gitster.g/T/#u">released Git 2.50</a> with features and bug fixes from 98 contributors, 35 of them new. We last caught up with you on the latest in Git back when <a href="https://github.blog/open-source/git/highlights-from-git-2-49/">2.49 was released</a>.</p>
<figure style="margin-top: 0 !important;margin-bottom: 0 !important" class="wp-block-table"><table class="has-fixed-layout"><tbody><tr><td>💡 Before we get into the details of this latest release, we wanted to remind you that <a href="https://git-merge.com">Git Merge</a>, the conference for Git users and developers is back this year on September 29-30, in San Francisco. Git Merge will feature talks from developers working on Git, and in the Git ecosystem. Tickets are on sale now; check out <a href="https://git-merge.com">the website</a> to learn more.</td></tr></tbody></table></figure>
<p>With that out of the way, let’s take a look at some of the most interesting features and changes from Git 2.50.</p>
<h2 class="wp-block-heading" id="h-improvements-for-multiple-cruft-packs">Improvements for multiple cruft packs</h2>
<p></p><p>When we covered <a href="https://github.blog/open-source/git/highlights-from-git-2-43/#multiple-cruft-packs">Git 2.43</a>, we talked about newly added support for <a href="https://github.blog/open-source/git/highlights-from-git-2-43/#multiple-cruft-packs">multiple cruft packs</a>. Git 2.50 improves on that with better command-line ergonomics, and some important bugfixes. In case you’re new to the series, need a refresher, or aren’t familiar with <a href="https://github.blog/2022-09-13-scaling-gits-garbage-collection/">cruft packs</a>, here’s a brief overview:</p><p>Git <a href="https://git-scm.com/book/en/v2/Git-Internals-Git-Objects">objects</a> may be either reachable or unreachable. The set of reachable objects is everything you can walk to starting from one of your repository’s <a href="https://git-scm.com/book/en/v2/Git-Internals-Git-References">references</a>: traversing from commits to their parent(s), trees to their sub-tree(s), and so on. Any object that you didn’t visit by repeating that process over all of your references is unreachable.</p>
<p></p><p id="return">In <a href="https://github.blog/open-source/git/highlights-from-git-2-37/">Git 2.37</a>, Git introduced <a href="https://git-scm.com/docs/cruft-packs/2.37.0">cruft packs</a>, a new way to store your repository’s unreachable objects. A cruft pack looks like an ordinary <a href="https://git-scm.com/book/en/v2/Git-Internals-Packfiles">packfile</a> with the addition of an <code>.mtimes</code> file, which is used to keep track of when each object was most recently written in order to determine when it is safe<sup><a href="#footnote">1</a></sup> to discard it.</p><p>However, updating the cruft pack could be cumbersome–particularly in repositories with many unreachable objects–since a repository’s cruft pack must be rewritten in order to add new objects. Git 2.43 began to address this through a new command-line option: <code>git repack --max-cruft-size</code>. This option was designed to split unreachable objects across multiple packs, each no larger than the value specified by <code>--max-cruft-size</code>. But there were a couple of problems:</p>
<ul class="wp-block-list">
<li>If you’re familiar with <code>git repack</code>’s <code>--max-pack-size</code> option, <code>--max-cruft-size</code>’s behavior is quite confusing. The former option specifies the maximum size an individual pack can be, while the latter involves how and when to move objects between multiple packs.</li>
<li>The feature was broken to begin with! Since <code>--max-cruft-size</code> <em>also</em> imposes on cruft packs the same pack-size constraints as <code>--max-pack-size</code> does on non-cruft packs, it is often impossible to get the behavior you want.</li>
</ul>
<p>For example, suppose you had two 100 MiB cruft packs and ran <code>git repack --max-cruft-size=200M</code>. You might expect Git to merge them into a single 200 MiB pack. But since <code>--max-cruft-size</code> also dictates the maximum size of the output pack, Git will refuse to combine them, or worse: rewrite the same pack repeatedly.</p>
<p>Git 2.50 addresses both of these issues with a new option: <code>--combine-cruft-below-size</code>. Instead of specifying the maximum size of the output pack, it determines which existing cruft pack(s) are eligible to be combined. This is particularly helpful for repositories that have accumulated many unreachable objects spread across multiple cruft packs. With this new option, you can gradually reduce the number of cruft packs in your repository over time by combining existing ones together.</p>
<p>With the introduction of <code>--combine-cruft-below-size</code>, Git 2.50 repurposed <code>--max-cruft-size</code> to behave as a cruft pack-specific override for <code>--max-pack-size</code>. Now <code>--max-cruft-size</code> only determines the size of the outgoing pack, not which packs get combined into it.</p>
<p>Along the way, a bug was uncovered that prevented objects stored in multiple cruft packs from being “freshened” in <a href="https://lore.kernel.org/git/c0c926adde2b7c8f4b53b7a274d5b8c040f77e62.1740680964.git.me@ttaylorr.com/">certain circumstances</a>. In other words, some unreachable objects don’t have their modification times updated when they are rewritten, leading to them being removed from the repository earlier than they otherwise would have been. Git 2.50 squashes this bug, meaning that you can now efficiently manage multiple cruft packs and freshen their objects to your heart’s content.</p>
<p>[<a href="https://github.com/git/git/compare/6a9e1c3507818fc7a7c301c16fda5ceecb82ae72...484d7adcdadbb72a3e0106c4fa49260cf1099b9a">source</a>, <a href="https://github.com/git/git/compare/f3db666cca0170a43ed602e7130c705882ce7574...08f612ba7000bf181ef6d8baed9ece322e567efd">source</a>]</p>
<h2 class="wp-block-heading" id="h-incremental-multi-pack-reachability-bitmaps">Incremental multi-pack reachability bitmaps</h2>
<p>Back in <a href="https://github.blog/open-source/git/highlights-from-git-2-47">our coverage of Git 2.47</a>, we talked about preliminary support for <a href="https://github.blog/open-source/git/highlights-from-git-2-47/#incremental-multi-pack-indexes">incremental multi-pack indexes</a>. Multi-pack indexes (MIDXs) act like a single pack <code>*.idx</code> file for objects spread across multiple packs.</p>
<p>Multi-pack indexes are extremely useful to accelerate object lookup performance in large repositories by binary searching through a single index containing most of your repository’s contents, rather than repeatedly searching through each individual packfile. But multi-pack indexes aren’t just useful for accelerating object lookups. They’re also the basis for multi-pack reachability bitmaps, the MIDX-specific analogue of classic single-pack reachability bitmaps. If neither of those are familiar to you, don’t worry; here’s a brief refresher. Single-pack <a href="https://git-scm.com/docs/bitmap-format/2.50.0">reachability bitmaps</a> store a collection of <a href="https://en.wikipedia.org/wiki/Bit_array">bitmaps</a> corresponding to a selection of commits. Each bit position in a pack bitmap refers to one object in that pack. In each individual commit’s bitmap, the set bits correspond to objects that are reachable from that commit, and the unset bits represent those that are not.</p>
<p>Multi-pack bitmaps were introduced to take advantage of the substantial performance increase afforded to us by reachability bitmaps. Instead of having bitmaps whose bit positions correspond to the set of objects in a single pack, a multi-pack bitmap’s bit positions correspond to the set of objects in a multi-pack index, which may include objects from arbitrarily many individual packs. If you’re curious to learn more about how multi-pack bitmaps work, you can read our earlier post <a href="https://github.blog/2021-04-29-scaling-monorepo-maintenance/"><em>Scaling monorepo maintenance</em></a>.</p>
<p>However, like cruft packs above, multi-pack indexes can be cumbersome to update as your repository grows larger, since each update requires rewriting the entire multi-pack index and its corresponding bitmap, regardless of how many objects or packs are being added. In Git 2.47, the file format for multi-pack indexes became incremental, allowing multiple multi-pack index layers to be layered on top of one another forming a chain of MIDXs. This made it much easier to add objects to your repository’s MIDX, but the incremental MIDX format at the time did not yet have support for multi-pack bitmaps.</p>
<p>Git 2.50 brings support for the multi-pack reachability format to incremental MIDX chains, with each MIDX layer having its own <code>*.bitmap</code> file. These bitmap layers can be used in conjunction with one another to provide reachability information about selected commits at any layer of the MIDX chain. In effect, this allows extremely large repositories to quickly and efficiently add new reachability bitmaps as new commits are pushed to the repository, regardless of how large the repository is.</p>
<p></p><p>This feature is still considered highly experimental, and support for repacking objects into incremental multi-pack indexes and bitmaps is still fairly bare-bones. This is an active area of development, so we’ll make sure to cover any notable developments to incremental multi-pack reachability bitmaps in this series in the future.</p><p>[<a href="https://github.com/git/git/compare/6e2a3b8ae0e07c0c31f2247fec49b77b5d903a83...27afc272c49137460fe9e58e1fcbe4c1d377b304">source</a>]</p>
<h2 class="wp-block-heading" id="h-the-ort-merge-engine-replaces-recursive">The <code>ORT</code> merge engine replaces <code>recursive</code></h2>
<p></p><p>This release also saw some exciting updates related to merging. Way back when Git 2.33 was released, we talked about a new merge engine called “ORT” (standing for “Ostensibly Recursive’s Twin”).</p><p>ORT is a from-scratch rewrite of Git’s old merging engine, called “recursive.” ORT is significantly faster, more maintainable, and has many new features that were difficult to implement on top of its predecessor.</p><p>One of those features is the ability for Git to determine whether or not two things are mergeable without actually persisting any new objects necessary to construct the merge in the repository. Previously, the only way to tell whether two things are mergeable was to run <code>git merge-tree --write-tree</code> on them. That works, but in this example <code>merge-tree</code> wrote any new objects generated by the merge into the repository. Over time, these can accumulate and cause performance issues. In Git 2.50, you can make the same determination without writing any new objects by using <code>merge-tree</code>’s new <code>--quiet</code> mode and relying on its exit code.</p><p>Most excitingly in this release is that ORT has entirely superseded recursive, and recursive is no longer part of Git’s source code. When ORT was first introduced, it was only accessible through <code>git merge</code>’s <code>-s</code> option to select a strategy. In Git 2.34, ORT became <a href="http://recursive">the default choice</a> over <code>recursive</code>, though the latter was still available in case there were bugs or behavior differences between the two. Now, 16 versions and two and a half years later, recursive has been completely removed from Git, with its author, Elijah Newren, <a href="https://lore.kernel.org/git/pull.1898.git.1743436279.gitgitgadget@gmail.com/">writing</a>:</p>
<blockquote class="wp-block-quote is-layout-flow wp-block-quote-is-layout-flow">
<p>As a wise man once told me, “Deleted code is debugged code!”</p>
</blockquote>
<p></p><p>As of Git 2.50, recursive has been completely <s>debugged</s> deleted. For more about ORT’s internals and its development, check out this five part series from Elijah <a href="https://blog.palantir.com/optimizing-gits-merge-machinery-1-127ceb0ef2a1">here</a>, <a href="https://blog.palantir.com/optimizing-gits-merge-machinery-2-d81391b97878">here</a>, <a href="https://blog.palantir.com/optimizing-gits-merge-machinery-3-2dc7c7436978">here</a>, <a href="https://blog.palantir.com/optimizing-gits-merge-machinery-part-iv-5bbc4703d050">here</a>, and <a href="https://blog.palantir.com/optimizing-gits-merge-machinery-part-v-46ff3710633e">here</a>.</p><p>[<a href="https://github.com/git/git/compare/17d9dbd3c270aaa33487f6a03d128c47aea6b309...29d7bf19512d8ca97be5cf708ca2e0bcc29408ab">source</a>, <a href="https://github.com/git/git/compare/8d6413a1bef7876b9c17a79358bd70b764ffacba...947e219fb6b1acc3d276d0b50ebf411c252a40bd">source</a>, <a href="https://github.com/git/git/compare/fe7ae3b87ef866e4818a106e8ce6e3d821ed76d7...170e30d6957e1f7b8d88046ae122f98d57dca988">source</a>]</p>
<hr class="wp-block-separator has-alpha-channel-opacity">
<ul class="wp-block-list">
<li><p>If you’ve ever scripted around your repository’s objects, you are likely familiar with <code>git cat-file</code>, Git’s purpose-built tool to list objects and print their contents. <code>git cat-file</code> has many modes, like <code>--batch</code> (for printing out the contents of objects), or <code>--batch-check</code> (for printing out certain information about objects without printing their contents).</p><p>Oftentimes it is useful to dump the set of all objects of a certain type in your repository. For commits, <code>git rev-list</code> can easily enumerate a set of commits. But what about, say, trees? In the past, to filter down to just the tree objects from a list of objects, you might have written something like:</p><pre>$ git cat-file --batch-check='%(objecttype) %(objectname)' \<br>    --buffer <in | perl -ne 'print "$1\n" if /^tree ([0-9a-f]+)/'</pre>Git 2.50 brings Git’s object filtering mechanism used in partial clones to <code>git cat-file</code>, so the above can be rewritten a little more concisely like:<pre>$ git cat-file --batch-check='%(objectname)' --filter='object:type=tree' <in</pre>
<p>[<a href="https://github.com/git/git/compare/9bdd7ecf7ec90433fc1803bf5d608d08857b3b49...8002e8ee1829f0c727aa2f7d9c18ad706cb63565">source</a>]
</p>
</li>
<li>While we’re on the topic, let’s discuss a little-known <code>git cat-file</code> command-line option: <code>--allow-unknown-type</code>. This arcane option was used with objects that have a type other than <code>blob</code>, <code>tree</code>, <code>commit</code>, or <code>tag</code>. This is a quirk dating back a little more than <a href="https://github.com/git/git/compare/13f4f046929de00a8c16171c5e08cdcae887b54d...5ba9a93b39bef057be54ecf7933386a582981625">a decade ago</a> that allows <code>git hash-object</code> to write objects with arbitrary types. In the time since, this feature has gotten very little use. In fact, <code>git cat-file -p --allow-unknown-type</code> can’t even print out the contents of one of these objects!
<p></p><pre>
$ oid="$(git hash-object -w -t notatype --literally /dev/null)"
$ git cat-file -p $oid
fatal: invalid object type
</pre>
<p>This release makes the <code>--allow-unknown-type</code> option silently do nothing, and removes support from git hash-object to write objects with unknown types in the first place.</p>
<p>[<a href="https://github.com/git/git/compare/b6fa7fbcd1b6791675c0b36636745e467419a522...141f8c8c0535004fa5432d9a6d57bf08129a7dd8">source</a>]</p>
</li>
<li><p>The <code>git maintenance</code> command learned a number of new tricks this release as well. It can now perform a few new different kinds of tasks, like <code>worktree-prune</code>, <code>rerere-gc</code>, and <code>reflog-expire</code>. <code>worktree-prune</code> mirrors <code>git gc</code>’s functionality to remove stale or broken Git <a href="https://git-scm.com/docs/git-worktree/2.50.0">worktrees</a>. <code>rerere-gc</code> also mirrors existing functionality exposed via <code>git gc</code> to expire old <code>rerere</code> entries from previously recorded <a href="https://git-scm.com/docs/git-rerere/2.50.0">merge conflict resolutions</a>. Finally, <code>reflog-expire</code> can be used to remove stale unreachable objects from out of the <a href="https://git-scm.com/docs/git-reflog/2.50.0">reflog</a>.</p><p><code>git maintenance</code> also ships with new configuration for the existing <code>loose-objects</code> task. This task removes lingering loose objects that have since been packed away, and then makes new pack(s) for any loose objects that remain. The size of those packs was previously fixed at a maximum of 50,000, and can now be configured by the <code>maintenance.loose-objects.batchSize</code> configuration.</p>
<p>[<a href="https://github.com/git/git/compare/1d01042e314c0965845cae1fbcd0bc7e21f1b608...283621a553b60b26f14b9cf7e8b8c852ddba55d9">source</a>, <a href="https://github.com/git/git/compare/1a1661bd41697a106481e9e2467d0f5a0697349a...8e0a1ec0762405e045d924eed68b872fd29844c9">source</a>, <a href="https://github.com/git/git/compare/7b7fe0a898978618c36432f1f89b29cd412c7a23...6540560fd6c91091f6cf1eaedd034bc1827e1506">source</a>]</p>
</li>
<li><p>If you’ve ever needed to recover some work you lost, you may be familiar with Git’s <a href="https://git-scm.com/docs/git-reflog/2.50.0">reflog</a> feature, which allows you to track changes to a reference over time. For example, you can go back and revisit earlier versions of your repository’s main branch by doing <code>git show main@{2}</code> (to show <code>main</code> prior to the two most recent updates) or <code>main@{1.week.ago}</code> (to show where your copy of the branch was at a week ago).</p><p>Reflog entries can accumulate over time, and you can reach for <code>git reflog expire</code> in the event you need to clean them up. But how do you delete the entirety of a branch’s reflog? If you’re not yet running Git 2.50 and thought “surely it’s <code>git reflog delete</code>”, you’d be wrong! Prior to Git 2.50, the only way to delete a branch’s entire reflog was to do <code>git reflog expire $BRANCH --expire=all</code>.</p><p>In Git 2.50, a new <code>delete</code> sub-command was introduced, so you can accomplish the same as above with the much more natural <code>git reflog delete $BRANCH</code>.</p>
<p>[<a href="https://github.com/git/git/compare/ee847e0034dbfde11f901fbfb74d210c1edad496...d1270689a11e1e0dcf19d0257ce773a1d63d02d8">source</a>]</p></li>
<li><p>Speaking of references, Git 2.50 also received some attention to how references are processed and used throughout its codebase. When using the low-level <code>git update-ref</code> command, Git used to spend time checking whether or not the proposed refname could also be a valid object ID, making its lookups ambiguous. Since <code>update-ref</code> is such a low-level command, this check is no longer done, delivering some performance benefits to higher-level commands that rely on <code>update-ref</code> for their functionality.</p><p>Git 2.50 also learned how to cache whether or not any prefix of a proposed reference name already exists (for example, you can’t create a reference <code>ref/heads/foo/bar/baz</code> if either <code>refs/heads/foo/bar</code> or <code>refs/heads/foo</code> already exists).</p><p>Finally, in order to make those checks, Git used to create a new reference iterator for each individual prefix. Git 2.50’s reference backends learned how to “seek” existing iterators, saving time by being able to reuse the same iterator when checking each possible prefix.</p><p>[<a href="https://github.com/git/git/compare/01d17c05305edefbbe62926f5a5425207324a87f...87d297f48367737444810f8c3e76ef88cb6aa4e3">source</a>]</p></li>
<li><p>If you’ve ever had to tinker with Git’s low-level <a href="https://curl.se/">curl</a> configuration, you may be familiar with Git’s <a href="https://git-scm.com/docs/git-config/2.49.0#Documentation/git-config.txt-httplowSpeedLimithttplowSpeedTime">configuration options</a> for tuning HTTP connections, like <code>http.lowSpeedLimit</code> and <code>http.lowSpeedTime</code> which are used to terminate an HTTP connection that is transferring data too slowly.</p><p>These options can be useful when fine-tuning Git to work in complex networking environments. But what if you want to tweak Git’s <a href="https://en.wikipedia.org/wiki/Keepalive#TCP_keepalive">TCP Keepalive</a> behavior? This can be useful to control when and how often to send keepalive probes, as well as how many to send, before terminating a connection that hasn’t sent data recently.</p><p>Prior to Git 2.50, this wasn’t possible, but this version introduces three new configuration options: <code>http.keepAliveIdle</code>, <code>http.keepAliveInterval</code>, and <code>http.keepAliveCount</code> which can be used to control the fine-grained behavior of curl’s TCP probing (provided your operating system supports it).</p><p>[<a href="https://github.com/git/git/compare/c6b3824a193bc263a764d17def7df7f09ef82a2d...46e6f9af3ec063529738f4b5b0b97c28c005c365">source</a>]</p></li>
<li><p>Git is famously portable and runs on a wide variety of operating systems and environments with very few dependencies. Over the years, various parts of Git have been written in Perl, including some commands like <a href="https://github.com/git/git/blob/5cde71d64aff03d305099b4d239552679ecfaab6/git-add--interactive.perl">the original implementation</a> of <code>git add -i</code> . These days, very few remaining Git commands are written in Perl.</p><p>This version reduces Git’s usage of Perl by removing it as a dependency of the test suite and documentation toolchain. Many Perl one-liners from Git’s test suite were rewritten to use other Shell functions or builtins, and some were rewritten as tiny C programs. For the handful of remaining hard dependencies on Perl, those tests will be skipped on systems that don’t have a working Perl.</p>
<p>[<a href="https://github.com/git/git/compare/8f490db4e200edd22e247ec07fb1349a26c155b2...7a7b6022670c7946afea73a1eeb2ddc32d756624">source</a>, <a href="https://github.com/git/git/compare/a819a3da85655031a23abae0f75d0910697fb92c...a7fa5b2f0ccb567a5a6afedece113f207902fa6f">source</a>]</p>
</li>

<li>
<p>This release also shipped a minor cosmetic update to <code>git rebase -i</code>. When starting a rebase, your <code>$EDITOR</code> might appear with contents that look something like:
</p><pre>
pick c108101daa foo
pick d2a0730acf bar
pick e5291f9231 baz
</pre>
<p>You can edit that list to <code>break</code>, <code>reword</code>, or <code>exec</code> (among many others), and Git will happily execute your rebase. But if you change the commit message in your rebase’s TODO script, they won’t actually change!</p><p>That’s because the commit messages shown in the TODO script are just meant to help you identify which commits you’re rebasing. (If you want to rewrite any commit messages along the way, you can use the <code>reword</code> command instead). To clarify that these messages are cosmetic, Git will now prefix them with a <code>#</code> comment character like so:
</p><pre>
pick c108101daa # foo
pick d2a0730acf # bar
pick e5291f9231 # baz
</pre>
<p>[<a href="https://github.com/git/git/compare/f9cdaa2860e20f3f36595646b7a82082aa772df8...e42667241de12840ef58c0ba1c060b86c850bae0">source</a>]</p>
<p>
</p></li>
<li><p>Long time readers of this series will recall <a href="https://github.blog/open-source/git/highlights-from-git-2-36/">our coverage</a> of Git’s <code>bundle</code> <a href="https://git-scm.com/book/en/v2/Git-Tools-Bundling">feature</a> (when Git added support for partial bundles), though we haven’t covered Git’s <code>bundle-uri</code> <a href="https://git-scm.com/docs/bundle-uri/2.50.0">feature</a>. Git bundles are a way to package your repositories contents: both its objects and the references that point at them into a single <code>*.bundle</code> file.</p><p>While Git has had support for bundles since as early as <a href="https://github.com/git/git/compare/1db8b60b2a6ef0cc0f7cc7d0783b7cda2ce894ca...64d99e9c5a4a3fb35d803894992764a6e288de5d">v1.5.1</a> (nearly 18 years ago!), its <code>bundle-uri</code> feature is <a href="https://github.com/git/git/compare/83937e9592832408670da38bfe6e96c90ad63521...89c6e450fe4a919ecb6fa698005a935531c732cf">much newer</a>. In short, the <code>bundle-uri</code> feature allows a server to serve part of a clone by first directing the client to download a <code>*.bundle</code> file. After the client does so, it will try to perform a fill-in fetch to gather any missing data advertised by the server but not part of the bundle.</p><p>To speed up this fill-in fetch, your Git client will advertise any references that it picked up from the <code>*.bundle</code> itself. But in previous versions of Git, this could sometimes result in <em>slower</em> clones overall! That’s because up until Git 2.50, Git would only advertise the branches in <code>refs/heads/*</code> when asking the server to send the remaining set of objects.</p><p>Git 2.50 now includes advertises all references it knows about from the <code>*.bundle</code> when doing a fill-in fetch on the server, making <code>bundle-uri</code>-enabled clones much faster.</p><p>For more details about these changes, you can check out <a href="https://blog.gitbutler.com/going-down-the-rabbit-hole-of-gits-new-bundle-uri/">this blog post</a> from Scott Chacon.</p><p>[<a href="https://github.com/git/git/compare/0b8d22fd4030832fa64933721fa162feaa9c69d9...435b076ceb6e42c2c4c66422c036a02982b36bd4">source</a>]</p></li>
<li><p>Last but not least, <code>git add -p</code> (and <code>git add -i</code>) now work much more smoothly in <a href="https://github.blog/open-source/git/bring-your-monorepo-down-to-size-with-sparse-checkout/">sparse checkouts</a> by no longer having to expand the <a href="https://github.blog/open-source/git/make-your-monorepo-feel-small-with-gits-sparse-index/">sparse index</a>. This follows in a long line of work that has been gradually adding sparse-index compatibility to Git commands that interact with the index.</p><p>Now you can interactively stage parts of your changes before committing in a sparse checkout without having to wait for Git to populate the sparsified parts of your repository’s index. Give it a whirl on your local sparse checkout today!</p><p>[<a href="https://github.com/git/git/compare/6b6c366e79a1e688526ece01cd1d6a2fa46d0071...ecf9ba20e35ded94d6b1f44f83bb9f7c32162654">source</a>]</p></li>
</ul>
<p></p>
<p></p>
<hr class="wp-block-separator has-alpha-channel-opacity">

<p></p>
<h3 class="wp-block-heading" id="h-the-rest-of-the-iceberg">The rest of the iceberg</h3>
<p></p>
<p></p>
<p>That’s just a sample of changes from the latest release. For more, check out the release notes for <a href="https://github.com/git/git/blob/v2.50.0/Documentation/RelNotes/2.50.0.adoc">2.50</a>, or <a href="https://github.com/git/git/tree/v2.50.0/Documentation/RelNotes">any previous version</a> in <a href="https://github.com/git/git">the Git repository</a>.</p>
<p></p>
<p></p>
<div class="wp-block-group post-content-cta">
<p><strong>🎉 Git turned 20 this year!</strong> Celebrate by watching <a href="https://github.blog/open-source/git/git-turns-20-a-qa-with-linus-torvalds/">our interview of Linus Torvalds</a>, where we discuss how it forever changed software development.</p>
<p></p></div>
<p></p>
<p></p>
<p class="has-small-font-size" id="footnote"><sup>1</sup> It’s never <a href="https://github.blog/engineering/scaling-gits-garbage-collection/#mitigating-object-deletion-raciness">truly safe</a> to remove an unreachable object from a Git repository that is accepting incoming writes, because marking an object as unreachable can race with incoming reference updates, pushes, etc. At GitHub, we use Git’s –expire-to feature (which we wrote about in our <a href="https://github.blog/open-source/git/highlights-from-git-2-39/">coverage of Git 2.39</a>) in something we call “<a href="https://github.blog/engineering/scaling-gits-garbage-collection/#limbo-repositories">limbo repositories</a>” to quickly recover objects that shouldn’t have been deleted, before deleting them for good.  <a href="#return">↩️</a></p>
<p></p></body></html>
<p>The post <a href="https://github.blog/open-source/git/highlights-from-git-2-50/">Highlights from Git 2.50</a> appeared first on <a href="https://github.blog">The GitHub Blog</a>.</p>
]]></content:encoded>
<post-id xmlns="com-wordpress:feed-additions:1">88787</post-id> </item>
</channel>
</rss>

If you would like to create a banner that links to this page (i.e. this validation result), do the following:

Download the "valid RSS" banner.
Upload the image to your own server. (This step is important. Please do not link directly to the image on this server.)
Add this HTML to your page (change the image src attribute if necessary):

<a href="http://www.feedvalidator.org/check.cgi?url=https%3A//github.blog/feed/"><img src="valid-rss-rogers.png" alt="[Valid RSS]" title="Validate my RSS feed" /></a>

If you would like to create a text link instead, here is the URL you can use:

http://www.feedvalidator.org/check.cgi?url=https%3A//github.blog/feed/

Home · About · News · Docs · Terms