FEED Validator

for Atom and RSS and KML

Congratulations!

This is a valid RSS feed.

Recommendations

This feed is valid, but interoperability with the widest range of feed readers could be improved by implementing the following recommendations.

line 30, column 0: Use of unknown namespace: com-wordpress:feed-additions:1 (11 occurrences) [help]
```
<site xmlns="com-wordpress:feed-additions:1">153214340</site>	<item>
```
line 47, column 0: content:encoded should not contain html tag (10 occurrences) [help]
```
<html><body><p>There are many <a href="https://github.blog/security/applicat ...
```
line 47, column 0: content:encoded should not contain body tag (10 occurrences) [help]
```
<html><body><p>There are many <a href="https://github.blog/security/applicat ...
```
line 51, column 0: content:encoded should not contain data-recalc-dims attribute (16 occurrences) [help]
```
<figure class="wp-block-image size-large"><img data-recalc-dims="1" fetchpri ...
```
line 51, column 0: content:encoded should not contain fetchpriority attribute [help]
```
<figure class="wp-block-image size-large"><img data-recalc-dims="1" fetchpri ...
```
line 51, column 0: content:encoded should not contain decoding attribute (16 occurrences) [help]
```
<figure class="wp-block-image size-large"><img data-recalc-dims="1" fetchpri ...
```
line 51, column 0: content:encoded should not contain sizes attribute (16 occurrences) [help]
```
<figure class="wp-block-image size-large"><img data-recalc-dims="1" fetchpri ...
```
line 879, column 0: content:encoded should not contain iframe tag (7 occurrences) [help]
```
<iframe title="CVE-2025-53367: Exploitable OOB write in DjVuLibre" width="50 ...
```
line 1042, column 0: content:encoded should not contain data-color-mode attribute (3 occurrences) [help]
```
<aside data-color-mode="light" data-dark-theme="dark" data-light-theme="ligh ...
```
line 1042, column 0: content:encoded should not contain data-dark-theme attribute (3 occurrences) [help]
```
<aside data-color-mode="light" data-dark-theme="dark" data-light-theme="ligh ...
```
line 1042, column 0: content:encoded should not contain data-light-theme attribute (3 occurrences) [help]
```
<aside data-color-mode="light" data-dark-theme="dark" data-light-theme="ligh ...
```
line 1999, column 0: content:encoded should not contain loading attribute (14 occurrences) [help]
```
<figure class="wp-block-image size-large"><img data-recalc-dims="1" loading= ...
```

line 2460, column 0: content:encoded should not contain controls attribute [help]

<figure class="wp-block-video"><video controls poster="https://github.blog/w ...

line 2460, column 0: content:encoded should not contain poster attribute [help]

<figure class="wp-block-video"><video controls poster="https://github.blog/w ...

Source: https://github.blog/feed/

<?xml version="1.0" encoding="UTF-8"?><rss version="2.0"
xmlns:content="http://purl.org/rss/1.0/modules/content/"
xmlns:wfw="http://wellformedweb.org/CommentAPI/"
xmlns:dc="http://purl.org/dc/elements/1.1/"
xmlns:atom="http://www.w3.org/2005/Atom"
xmlns:sy="http://purl.org/rss/1.0/modules/syndication/"
xmlns:slash="http://purl.org/rss/1.0/modules/slash/"
>
<channel>
<title>The GitHub Blog</title>
<atom:link href="https://github.blog/feed/" rel="self" type="application/rss+xml" />
<link>https://github.blog/</link>
<description>Updates, ideas, and inspiration from GitHub to help developers build and design software.</description>
<lastBuildDate>Thu, 10 Jul 2025 17:38:15 +0000</lastBuildDate>
<language>en-US</language>
<sy:updatePeriod>
hourly </sy:updatePeriod>
<sy:updateFrequency>
1 </sy:updateFrequency>
<generator>https://wordpress.org/?v=6.8.1</generator>
<image>
<url>https://github.blog/wp-content/uploads/2019/01/cropped-github-favicon-512.png?fit=32%2C32</url>
<title>The GitHub Blog</title>
<link>https://github.blog/</link>
<width>32</width>
<height>32</height>
</image>
<site xmlns="com-wordpress:feed-additions:1">153214340</site> <item>
<title>Modeling CORS frameworks with CodeQL to find security vulnerabilities</title>
<link>https://github.blog/security/application-security/modeling-cors-frameworks-with-codeql-to-find-security-vulnerabilities/</link>
<dc:creator><![CDATA[Kevin Stubbings]]></dc:creator>
<pubDate>Thu, 10 Jul 2025 17:38:14 +0000</pubDate>
<category><![CDATA[Application security]]></category>
<category><![CDATA[Security]]></category>
<category><![CDATA[CodeQL]]></category>
<category><![CDATA[GitHub Security Lab]]></category>
<category><![CDATA[security research]]></category>
<guid isPermaLink="false">https://github.blog/?p=89417</guid>
<description><![CDATA[<p>Discover how to increase the coverage of your CodeQL CORS security by modeling developer headers and frameworks.</p>
<p>The post <a href="https://github.blog/security/application-security/modeling-cors-frameworks-with-codeql-to-find-security-vulnerabilities/">Modeling CORS frameworks with CodeQL to find security vulnerabilities</a> appeared first on <a href="https://github.blog">The GitHub Blog</a>.</p>
]]></description>
<content:encoded><![CDATA[<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">
<html><body><p>There are many <a href="https://github.blog/security/application-security/localhost-dangers-cors-and-dns-rebinding/">different types of vulnerabilities</a> that can occur when setting up CORS for your web application, and insecure usage of CORS frameworks and logic errors in homemade CORS implementations can lead to serious security vulnerabilities that allow attackers to bypass authentication. What’s more, attackers can utilize CORS misconfigurations to escalate the severity of other existing vulnerabilities in web applications to access services on the intranet.</p>
<figure class="wp-block-image size-large"><img data-recalc-dims="1" fetchpriority="high" decoding="async" height="847" width="1024" src="https://github.blog/wp-content/uploads/2025/07/cors1.jpg?resize=1024%2C847" alt="A CORS diagram showing communication between two websites in the browser." class="wp-image-89421" srcset="https://github.blog/wp-content/uploads/2025/07/cors1.jpg?w=1600 1600w, https://github.blog/wp-content/uploads/2025/07/cors1.jpg?w=300 300w, https://github.blog/wp-content/uploads/2025/07/cors1.jpg?w=768 768w, https://github.blog/wp-content/uploads/2025/07/cors1.jpg?w=1024 1024w, https://github.blog/wp-content/uploads/2025/07/cors1.jpg?w=1536 1536w" sizes="(max-width: 1000px) 100vw, 1000px" /></figure>
<p>In this blog post, I’ll show how developers and security researchers can use CodeQL to model their own libraries, using work that I’ve done on CORS frameworks in Go as an example. Since the techniques that I used are useful for modeling other frameworks, this blog post can help you model and find vulnerabilities in your own projects. Because static analyzers like CodeQL have the ability to get the detailed information about structures, functions, and imported libraries, they’re more versatile than simple tools like grep. Plus, since CORS frameworks often use set configurations via specific structures and functions, using CodeQL is the easiest way to find misconfigurations in your codebases.</p>
<h2 class="wp-block-heading" id="h-modeling-headers-in-codeql">Modeling headers in CodeQL</h2>
<p>When adding code to CodeQL, it’s best practice to always check the related queries and frameworks that are already available so that we’re not reinventing the wheel. For most languages, CodeQL already has a CORS query that covers many of the default cases. The easiest and simplest way of implementing CORS is by manually setting the  <code>Access-Control-Allow-Origin</code> and <code>Access-Control-Allow-Credentials</code> <a href="https://developer.mozilla.org/en-US/docs/Glossary/Response_header">response headers</a>. By modeling the frameworks for a language (e.g., Django, FastAPI, and Flask), CodeQL can identify where in the code those headers are set. Building on those models by looking for specific header values, CodeQL can find simple examples of CORS and see if they match vulnerable values.</p>
<p>In the following Go example, unauthenticated resources on the servers could be accessed by arbitrary websites.</p>
<pre class="wp-block-code language-go"><code>func saveHandler(w http.ResponseWriter, r *http.Request) {
w.Header().Set("Access-Control-Allow-Origin", "*")
}</code></pre>
<p>This may be troublesome for web applications that do not have authentication, such as tools intended to be hosted locally, because any dangerous endpoint could be accessed and exploited by an attacker.</p>
<p>This is a snippet of the Go http framework where CodeQL models the <code>Set</code> method to find security-related header writes for this framework. Header writes are modeled by the <code>HeaderWrite</code> class in <code>HTTP.qll</code>, which is extended by other modules and classes in order to find all header writes.</p>
<pre class="wp-block-code language-go"><code> /** Provides a class for modeling new HTTP header-write APIs. */
module HeaderWrite {
/**
* A data-flow node that represents a write to an HTTP header.
*
* Extend this class to model new APIs. If you want to refine existing API models,
* extend `HTTP::HeaderWrite` instead.
*/
abstract class Range extends DataFlow::ExprNode {
/** Gets the (lower-case) name of a header set by this definition. */
string getHeaderName() { result = this.getName().getStringValue().toLowerCase() }</code></pre>
<p>Some useful methods such as <code>getHeaderName</code> and <code>getHeaderValue</code> can also  help in developing security queries related to headers, like CORS misconfiguration. Unlike the previous code example, the below pattern is an example of a CORS misconfiguration whose effect is much more impactful.</p>
<pre class="wp-block-code language-go"><code>func saveHandler(w http.ResponseWriter, r *http.Request) {
w.Header().Set("Access-Control-Allow-Origin",
r.Header.Get("Origin"))
w.Header().Set("Access-Control-Allow-Credentials",
"true")
}</code></pre>
<p>Reflecting the request origin header and allowing credentials permits an attacking website to make requests as the current logged in user, which could compromise the entire web application.</p>
<p>Using CodeQL, we can model the headers, looking for specific headers and methods in order to help CodeQL identify the relevant security code structures to find CORS vulnerabilities.</p>
<pre class="wp-block-code language-plaintext"><code>/**
* An `Access-Control-Allow-Credentials` header write.
*/
class AllowCredentialsHeaderWrite extends Http::HeaderWrite {
AllowCredentialsHeaderWrite() {
this.getHeaderName() = headerAllowCredentials()
}
}
/**
* predicate for CORS query.
*/
predicate allowCredentialsIsSetToTrue(DataFlow::ExprNode allowOriginHW) {
exists(AllowCredentialsHeaderWrite allowCredentialsHW |
allowCredentialsHW.getHeaderValue().toLowerCase() = "true"</code></pre>
<p>Here, the <code>HTTP::HeaderWrite</code> class, as previously discussed, is used as a superclass for <code>AllowCredentialsHeaderWrite</code>, which finds all header writes of the value <code>Access-Control-Allow-Credentials</code>. Then, when our CORS misconfiguration query checks whether credentials are enabled, we use AllowCredentialsHeaderWrite as one of the possible sources to check.</p>
<p>The simplest way for developers to set a CORS policy is by setting headers on HTTP responses in their server. By modeling all instances where a header is set, we can check for these CORS cases in our CORS query. </p>
<p>When modeling web frameworks using CodeQL, creating classes that extend more generic superclasses such as <code>HTTP::HeaderWrite</code> allows the impact of the model to be used in all CodeQL security queries that need them. Since headers in web applications can be so important, modeling all the ways they can be written to in a framework can be a great first step to adding that web framework to CodeQL.</p>
<h2 class="wp-block-heading" id="modeling-frameworks-in-codeql">Modeling frameworks in CodeQL</h2>
<figure class="wp-block-image size-full"><img data-recalc-dims="1" decoding="async" width="961" height="877" src="https://github.blog/wp-content/uploads/2025/07/cors2.png?resize=961%2C877" alt="A computer with two windows open showing secure code." class="wp-image-89422" srcset="https://github.blog/wp-content/uploads/2025/07/cors2.png?w=961 961w, https://github.blog/wp-content/uploads/2025/07/cors2.png?w=300 300w, https://github.blog/wp-content/uploads/2025/07/cors2.png?w=768 768w" sizes="(max-width: 961px) 100vw, 961px" /></figure>
<p>Rather than setting the CORS headers manually, many developers use a CORS framework instead.  Generally, CORS frameworks use middleware in the router of a web framework in order to add headers for every response. Some web frameworks will have their own CORS middleware, or you may have to include a third-party package. When modeling a CORS framework in CodeQL, you’re usually modeling the relevant structures and methods that signify a CORS policy. Once the modeled structure or methods have the correct values, the query should check that the structure is actually used in the codebase.</p>
<p>For frameworks, we’ll look into Go as our language of choice since it has great support for CORS. Go provides a couple of CORS frameworks, but most follow the structure of Gin CORS, a CORS middleware framework for the Gin web framework. Here’s an example of a Gin configuration for CORS:</p>
<pre class="wp-block-code language-go"><code>package main
import (
"time"
"github.com/gin-contrib/cors"
"github.com/gin-gonic/gin"
)
func main() {
router := gin.Default()
router.Use(cors.New(cors.Config{
AllowOrigins: []string{"https://foo.com"},
AllowMethods: []string{"PUT", "PATCH"},
AllowHeaders: []string{"Origin"},
ExposeHeaders: []string{"Content-Length"},
AllowCredentials: true,
AllowOriginFunc: func(origin string) bool {
return origin == "https://github.com"
}
}))
router.Run()
}</code></pre>
<p>Now that we’ve modeled the <code>router.Use</code> method and <code>cors.New</code> — ensuring that <code>cors.Config</code> structure is at some point put into a <code>router.Use</code> function for actual use — we should then check all <code>cors.Config</code> structures for appropriate headers.</p>
<p>Next, we find the appropriate headers fields we want to model. For a basic CORS misconfiguration query, we would model <code>AllowOrigins</code>, <code>AllowCredentials</code>, <code>AllowOriginFunc</code>. My pull requests for adding GinCors and RSCors to CodeQL can be used as references if you’re interested in seeing everything that goes into adding a framework to CodeQL. Below I’ll discuss some of the most important details.</p>
<pre class="wp-block-code language-plaintext"><code> /**
* A variable of type Config that holds the headers to be set.
*/
class GinConfig extends Variable {
SsaWithFields v;
GinConfig() {
this = v.getBaseVariable().getSourceVariable() and
v.getType().hasQualifiedName(packagePath(), "Config")
}
/**
* Get variable declaration of GinConfig
*/
SsaWithFields getV() { result = v }
}</code></pre>
<p>I modeled the Config type by using SSAWithFields, which is a <a href="https://en.wikipedia.org/wiki/Static_single-assignment_form">single static assignment</a> with fields. By using <code>getSourceVariable()</code>, we can get the variable that the structure was assigned to, which can help us see where the config is used. This allows us to find track variables that contain the CORS config structure across the codebase, including ones that are often initialized like this:</p>
<pre class="wp-block-code language-go"><code>func main() {
...
// We can now track the corsConfig variable for further updates,such as when one of the fields is updated.
corsConfig:= cors.New(cors.Config{
...
})}</code></pre>
<p>Now that we have the variable containing the relevant structure, we want to find all the instances where the variable is written to. By doing this, we can get an understanding of the relevant property values that have been assigned to it, and thus decide whether the CORS config is misconfigured.</p>
<pre class="wp-block-code language-plaintext"><code> /**
* A write to the value of Access-Control-Allow-Origins header
*/
class AllowOriginsWrite extends UniversalOriginWrite {
DataFlow::Node base;
// This models all writes to the AllowOrigins field of the Config type
AllowOriginsWrite() {
exists(Field f, Write w |
f.hasQualifiedName(packagePath(), "Config", "AllowOrigins") and
w.writesField(base, f, this) and
// To ensure we are finding the correct field, we look for a write of type string (SliceLit)
this.asExpr() instanceof SliceLit
)
}
/**
* Get config variable holding header values
*/
override GinConfig getConfig() {
exists(GinConfig gc |
(
gc.getV().getBaseVariable().getDefinition().(SsaExplicitDefinition).getRhs() =
base.asInstruction() or
gc.getV().getAUse() = base
) and
result = gc
)
}
}</code></pre>
<p>By adding the <code>getConfig</code> function, we return the previously created <code>GinConfig</code>, which allows us to verify that any writes to relevant headers affect the same configuration structure. For example, a developer may create a config that has a vulnerable origin and another config that allows credentials. The config that allows credentials wouldn’t be highlighted because only configs with vulnerable origins would create a security issue. By allowing CORS relevant header writes from different frameworks to all extend <code>UniversalOriginWrite</code> and <code>UniversalCredentialsWrite</code>, we can use those in our CORS misconfiguration query. </p>
<h2 class="wp-block-heading" id="writing-cors-misconfiguration-queries-in-codeql">Writing CORS misconfiguration queries in CodeQL</h2>
<p>CORS issues are separated into two types: those without credentials (where we’re looking for * or null) and CORS with credentials (where we’re looking for origin reflection or null). If you want to keep the CodeQL query simple, you can create one query for each type of CORS vulnerability and assign their severity accordingly. For the Go language, CodeQL only has a “CORS with credentials” type of query because it’s applicable to all applications. </p>
<p>Let’s tie in the models we just created above to see how they’re used in the Go CORS misconfiguration query itself. </p>
<pre class="wp-block-code language-plaintext"><code>from DataFlow::ExprNode allowOriginHW, string message
where
allowCredentialsIsSetToTrue(allowOriginHW) and
(
flowsFromUntrustedToAllowOrigin(allowOriginHW, message)
or
allowOriginIsNull(allowOriginHW, message)
) and
not flowsToGuardedByCheckOnUntrusted(allowOriginHW)
...
select allowOriginHW, message</code></pre>
<p>This query is only interested in critical vulnerabilities, so it checks whether credentials are allowed, and whether the allowed origins either come from a remote source or are hardcoded as null. In order to prevent false positives, it checks if there are certain guards — such as string comparisons —  before the remote source gets to the origin. Let’s take a closer look at the predicate <code>allowCredentialsIsSetToTrue</code>.</p>
<pre class="wp-block-code language-plaintext"><code>/**
* Holds if the provided `allowOriginHW` HeaderWrite's parent ResponseWriter
* also has another HeaderWrite that sets a `Access-Control-Allow-Credentials`
* header to `true`.
*/
predicate allowCredentialsIsSetToTrue(DataFlow::ExprNode allowOriginHW) {
exists(AllowCredentialsHeaderWrite allowCredentialsHW |
allowCredentialsHW.getHeaderValue().toLowerCase() = "true"
|
allowOriginHW.(AllowOriginHeaderWrite).getResponseWriter() =
allowCredentialsHW.getResponseWriter()
)
or
...</code></pre>
<p>For the first part of the predicate, we’ll use one of the headers we previously modeled, AllowCredentialsHeaderWrite, in order to compare headers. This will help us filter out all header writes that don’t have credentials set.</p>
<pre class="wp-block-code language-plaintext"><code> exists(UniversalAllowCredentialsWrite allowCredentialsGin |
allowCredentialsGin.getExpr().getBoolValue() = true
|
allowCredentialsGin.getConfig() = allowOriginHW.(UniversalOriginWrite).getConfig() and
not exists(UniversalAllowAllOriginsWrite allowAllOrigins |
allowAllOrigins.getExpr().getBoolValue() = true and
allowCredentialsGin.getConfig() = allowAllOrigins.getConfig()
)
or
allowCredentialsGin.getBase() = allowOriginHW.(UniversalOriginWrite).getBase() and
not exists(UniversalAllowAllOriginsWrite allowAllOrigins |
allowAllOrigins.getExpr().getBoolValue() = true and
allowCredentialsGin.getBase() = allowAllOrigins.getBase()
)
)
}</code></pre>
<p>If CORS is not set through a header, we check for CORS frameworks using <code>UniversalAllowCredentialsWrite</code>.To filter out all instances whose corresponding Origin value is set to “*”, we use the <code>not</code> CodeQL keyword on <code>UniversalAllowAllOriginsWrite</code>,  since these are not applicable to this vulnerability. <code>flowsFromUntrustedToAllowOrigin</code> and <code>allowOriginIsNull</code> follow similar logic to ensure that the resulting header rights are vulnerable.</p>
<h2 class="wp-block-heading" id="extra-credit">Extra credit</h2>
<p>When you model CodeQL queries to detect vulnerabilities related to CORS, you can’t use a one-size-fits-all approach. Instead, you have to tailor your queries to each web framework for two reasons: </p>
<ul class="wp-block-list">
<li>Each framework implements CORS policies in its own way</li>
<li>Vulnerability patterns depend on a framework’s behavior</li>
</ul>
<p>For example, we saw before in Gin CORS that there is an <code>AllowOriginFunc</code>. After looking at the documentation or experimenting with the code, we can see that it may override <code>AllowOrigins</code>. To improve our query, we could write a CodeQL query that looks for <code>AllowOriginFunc</code>s that always return true, which will result in a high severity vulnerability if paired with credentials.</p>
<h2 class="wp-block-heading" id="take-this-with-you">Take this with you </h2>
<p>Once you understand the behavior of web frameworks and headers with CodeQL, it’s simple to find security issues in your code and reduce the chance of vulnerabilities making their way into your work. The number of CodeQL languages that support CORS misconfiguration queries is still growing, and there is always room for improvement from the community . </p>
<p>If this blog has been helpful in helping you write CodeQL queries, please feel free to open anything you’d like to share with the community in our <a href="https://github.com/GitHubSecurityLab/CodeQL-Community-Packs">CodeQL Community Packs</a>.</p>
<p>Finally, <a href="https://github.com/security/advanced-security/code-security">GitHub Code Security</a> can help you secure your project by detecting and suggesting a fix for bugs such as <a href="https://codeql.github.com/codeql-query-help/javascript/js-cors-misconfiguration-for-credentials/">CORS misconfiguration</a>!</p>
<div class="wp-block-group post-content-cta has-global-padding is-layout-constrained wp-block-group-is-layout-constrained">
<p><strong>Explore more</strong> GitHub Security Lab <a href="https://github.blog/tag/github-security-lab/">blog posts ></a></p>
</div>
</body></html>
<p>The post <a href="https://github.blog/security/application-security/modeling-cors-frameworks-with-codeql-to-find-security-vulnerabilities/">Modeling CORS frameworks with CodeQL to find security vulnerabilities</a> appeared first on <a href="https://github.blog">The GitHub Blog</a>.</p>
]]></content:encoded>
<post-id xmlns="com-wordpress:feed-additions:1">89417</post-id> </item>
<item>
<title>Beyond prompt crafting: How to be a better partner for your AI pair programmer</title>
<link>https://github.blog/ai-and-ml/github-copilot/beyond-prompt-crafting-how-to-be-a-better-partner-for-your-ai-pair-programmer/</link>
<dc:creator><![CDATA[Christopher Harrison]]></dc:creator>
<pubDate>Wed, 09 Jul 2025 16:00:00 +0000</pubDate>
<category><![CDATA[AI & ML]]></category>
<category><![CDATA[GitHub Copilot]]></category>
<guid isPermaLink="false">https://github.blog/?p=89424</guid>
<description><![CDATA[<p>Ensuring quality code suggestions from Copilot goes beyond the perfect prompt. Context is key to success when working with your AI pair programmer.</p>
<p>The post <a href="https://github.blog/ai-and-ml/github-copilot/beyond-prompt-crafting-how-to-be-a-better-partner-for-your-ai-pair-programmer/">Beyond prompt crafting: How to be a better partner for your AI pair programmer</a> appeared first on <a href="https://github.blog">The GitHub Blog</a>.</p>
]]></description>
<content:encoded><![CDATA[<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">
<html><body><p>When a developer first starts working with <a href="https://github.com/features/copilot">GitHub Copilot</a> there’s (rightly) a focus on prompt crafting — or the art of providing good context and information to generate quality suggestions. </p>
<p>But context goes beyond typing out a couple of lines into Copilot Chat in VS Code. We want to ensure Copilot is considering the right files when performing operations, that these files are easy for Copilot to read, and that we provide Copilot any extra guidance it may need about the project or specific task. </p>
<p>So let’s explore taking the next step beyond prompt crafting, and think about how we can be a better partner for our AI pair programmer.</p>
<h2 class="wp-block-heading" id="h-context-is-key">Context is key</h2>
<p>I always like to talk about context by starting with a story. The other day my partner and I woke up and she said, “Let’s go to brunch!” Fantastic! Who doesn’t love brunch? </p>
<p>I recommended a spot, one of our favorites, and she said, “You know… we’ve been there quite a bit lately. I’d like to try something different.” I recommended another spot to which she replied, “Now that I’m thinking about it, I really want waffles. Let’s find somewhere that does good waffles.”</p>
<p>This conversation is, of course, pretty normal. My partner asked a question, I responded, she provided more context, and back and forth we went. All of my suggestions were perfectly reasonable based on the information I had, and when she didn’t hear what she was expecting she provided a bit more guidance. As we continued talking, she realized she had a craving for waffles, which she discovered as she considered my suggestions.</p>
<p>This is very much how we both talk with other people, but also how we approach working with generative AI tools, including Copilot. We ask questions, get answers, and work back and forth providing more context and making decisions based on what we see. </p>
<p>If we don’t receive the suggestions we’re expecting, or if something isn’t built to the specs we had in mind, it’s very likely Copilot didn’t have the context it needed — just as I didn’t have the context to suggest somewhere new when I started the conversation with my partner.</p>
<h2 class="wp-block-heading" id="h-how-github-copilot-works-with-code">How GitHub Copilot works with code</h2>
<p>To understand how Copilot in the IDE gets its context, it’s important to understand how it works. Except for <a href="https://github.blog/news-insights/product-news/from-pair-to-peer-programmer-our-vision-for-agentic-workflows-in-github-copilot/">agent mode, which performs external tasks</a>, Copilot doesn’t build or run the code as it generates code suggestions. In fact, it behaves very similarly to, well, a pair programmer. It reads the code (and comments) of the files we’ve pointed it at just as another developer would. </p>
<p>But unlike a teammate, Copilot doesn’t have “institutional knowledge,” or the background information that comes with experience (although <a href="https://docs.github.com/en/copilot/how-tos/custom-instructions/adding-repository-custom-instructions-for-github-copilot">you can add custom instructions</a>, but more on that later). This could be the history of why things were built a certain way (which isn’t documented somewhere but everyone just “knows” 🙄), that an internal library or framework that should always be used, or patterns that need to be followed.</p>
<p>Obviously, all of this background info is important to get the right code suggestions from Copilot. If we’re using a data abstraction layer (DAL), for instance, but Copilot is generating raw SQL code, the suggestions aren’t going to be that helpful. </p>
<p>The problem isn’t that Copilot is generating invalid code. Instead, it’s lacking the context to generate the code in the format and structure we need. Basically, we want waffles and it’s giving us an omelette. Let’s see what we can do to get waffles.</p>
<h2 class="wp-block-heading" id="h-using-code-comments-to-improve-copilot-s-suggestions-through-better-context">Using code comments to improve Copilot’s suggestions through better context</h2>
<p>There’s a common belief that quality code shouldn’t need comments, and that adding comments is a “code smell,” or an indication that something could be improved. While it’s noble to strive to write code that’s as readable as possible, it’s something we often fall short of in our day-to-day work.</p>
<p>Even when we do “hit the mark”, we need to remember that just because code might be readable to one developer, it doesn’t mean it’s readable to all developers. A couple of lines of comments can go a long way to ensuring readability.</p>
<p>The same holds true for Copilot! As we highlighted above, Copilot doesn’t run or compile your code except in specific situations. Instead, it “reads” your code much like a developer would. </p>
<p>Following the guidelines for having <a href="https://peps.python.org/pep-0257/">docstrings</a> in functions/modules in Python, for example, can help ensure Copilot has a better understanding of what the code does and how it does it. This allows Copilot to generate higher-quality suggestions by using your existing code to ensure any new code follows the same patterns and practices already in place.</p>
<figure class="wp-block-table"><table class="has-fixed-layout"><tbody><tr><td>💡 <strong>Pro tip</strong>: <strong>When you open a file, it’s always a good idea to leave it in a better state than when you found it</strong>. One of the little improvements you could make is to add a few comments to places to help describe the code. You could always ask Copilot to generate the first draft of the comments, and you can add any additional details Copilot missed!</td></tr></tbody></table></figure>
<h2 class="wp-block-heading" id="the-benefit-of-using-custom-instructions-with-github-copilot-on-your-projects">The benefit of using custom instructions with GitHub Copilot on your projects</h2>
<p>To generate quality suggestions, Copilot benefits from having context around what you’re doing and how you’re doing it. Knowing the technology and frameworks you’re using, what coding standards to follow, and even some background on what you’re building helps Copilot raise the quality bar on its suggestions. This is where <a href="https://docs.github.com/en/copilot/customizing-copilot/adding-repository-custom-instructions-for-github-copilot">custom instructions</a> come into play.</p>
<p>Custom instructions help you provide all of this background information and set ground rules (things like what APIs you want to call, naming patterns you want followed, or even stylistic preferences). </p>
<p>To get started, you place everything that’s important into a file named <strong>copilot-instructions.md</strong> inside your <strong>.github</strong> folder. It’s a markdown file, so you can create sections like <strong>Project structure</strong>, <strong>Technologies</strong>, <strong>Coding standards</strong>, and any other notes you want Copilot to consider on every single chat request. You can also add any guidance on tasks where you see Copilot not always choosing the right path, like maybe using class-based React components instead of function-based components (all the cool kids are using function based-components).</p>
<p>Keep in mind that custom instructions are sent to Copilot on <strong>every single</strong> chat request. You want to keep your instructions limited to information that’s relevant to the entire project. Providing too many details can make it a bit harder for Copilot to determine what’s important.</p>
<p>In simpler terms, you can basically think about the one friend you have who maybe shares too much detail when they’re telling a story, and how it can make it tricky to focus on the main plot points. It’s the same thing with Copilot. Provide some project-level guidance and overviews, so it best understands the environment in which it’s working.</p>
<p>A good rule of thumb is to have sections that highlight the various aspects of your project. An outline for a monorepo with a client and server for a web app might look like this:</p>
<pre class="wp-block-code language-plaintext"><code># Tailspin Toys Crowd Funding
Website for crowd funding for games.
## Backend
The backend is written using:
- Flask for the API
- SQLAlchemy for the ORM
- SQLite for the database
## Frontend
The frontend is written using:
- Astro for routing
- Svelte for the components and interactivity
- Tailwind CSS for styling
## Code standards
- Use good variable names, avoiding abbreviations and single letter variables
- Use the casing standard for the language in question (camelCasing for TypeScript, snake_casing for Python, etc.)
- Use type hints in all languages which support them
## Project structure
- `client` contains the frontend code
- `docs` contains the documentation for the project
- `scripts` contains the scripts used to install services, start the app, and run tests
- `server` contains the backend code </code></pre>
<p>This is relatively abbreviated, but notice the structure. We’re telling Copilot about the project we have, its structure, the techs in use, and some guidance about how we want our code to be created. We don’t have anything specific to tasks, like maybe writing unit tests, because we have another way to tell Copilot that information!</p>
<h2 class="wp-block-heading" id="providing-specific-instructions-for-specific-tasks">Providing specific instructions for specific tasks</h2>
<p>Continuing our conversation about instruction files… (I’m Gen-X, so <a href="https://www.reddit.com/r/GenX/comments/108t56v/so_umm_theres_that/">I’m required to use the Gen-X ellipsis at least once</a>.)</p>
<p>VS Code and Codespaces also support <a href="https://code.visualstudio.com/docs/copilot/copilot-customization#_use-instructionsmd-files"><code>.instructions.md</code></a> files. These are just like the <code>copilot-instructions.md</code> file we spoke about previously, only they’re designed to be used for specific types of tasks and placed in <code>.github/instructions</code>.</p>
<p>Consider a project where you’re building out <a href="https://flask.palletsprojects.com/en/stable/blueprints/">Flask Blueprints</a> for the routes for an API. There might be requirements around how the file should be structured and how unit tests should be created. You can create a custom instructions file called <code>flask-endpoint.instructions.md</code>, place it in <code>.github/instructions</code>, then add it as context to the chat when you request Copilot to create a new endpoint. It might look something like:</p>
<pre class="wp-block-code language-plaintext"><code># Endpoint creation guidelines
## Endpoint notes
- Endpoints are created in Flask using blueprints
- Create a centralized function for accessing data
- All endpoints require tests
- Use the `unittest` module for testing
- All tests must pass
- A script is provided to run tests at `scripts/run-server-tests.sh`
## Project notes
- The Python virtual environment is located in the root of the project in a **venv** folder
- Register all blueprints in `server/app.py`
- Use the [test instructions](./python-tests.instructions.md) when creating tests
## Prototype files
- [Endpoint prototype](../../server/routes/games.py)
- [Tests prototype](../../server/tests/test_games.py)</code></pre>
<p>Notice how we’re providing specific information about how we want our endpoints created. You’ll also notice we’re even linking out to other files <strong>in the project</strong> using hyperlinks — both existing files for Copilot to use as representative examples, and other instructions files for more information.</p>
<p>Additionally, you can also apply instructions to file types based on a pattern. Let’s take the tests for example. If they were all located in <code>server/tests</code>, and started with <code>test_</code>, you could add metadata to the top to ensure Copilot always includes the instructions when working on a test file:</p>
<pre class="wp-block-code language-plaintext"><code>---
applyTo: server/tests/test_*.py
---</code></pre>
<p>This gives you a lot of flexibility in ensuring Copilot is able to access the right information at the right time. This can be done explicitly by adding in the instructions file, or implicitly by providing a pattern for Copilot to use when building certain files.</p>
<p>Just as before, these are artifacts in your repository. It can take some time to build a collection of instruction files, but that investment will pay off in the form of higher-quality code and, in turn, improved productivity.</p>
<h2 class="wp-block-heading" id="fully-reusable-prompts">Fully reusable prompts</h2>
<p>The VS Code team recently published a new, experimental feature called prompt files. Because they’re still in development I don’t want to dig too deep into them, but you can read more about <a href="https://code.visualstudio.com/docs/copilot/copilot-customization#_prompt-files-experimental">prompt files in the docs</a> and see how to utilize them as they are currently implemented. In a nutshell, they allow you to effectively create scripted prompts for Copilot. You can choose the Copilot modes they’re available in (ask, edit and agent), the tools to be called, and what questions to ask the developer. These can be created by the team for enhanced reuse and consistency.</p>
<h2 class="wp-block-heading" id="extending-github-copilots-capabilities-with-model-context-protocol-mcp">Extending GitHub Copilot’s capabilities with Model Context Protocol (MCP)</h2>
<p>In an ever changing software development landscape, we need to ensure the information we’re working with is accurate, relevant, and up to date. This is what MCP, or Model Context Protocol, is built for! Developed initially by Anthropic, MCP is an open source protocol that lets organizations expose their services or data to generative AI tools. </p>
<p>When you add an MCP server to your IDE, you allow Copilot to “phone a friend” to find information, or even perform tasks on your behalf. For example, the <a href="https://github.com/microsoft/playwright-mcp">Playwright MCP server</a> helps create <a href="https://playwright.dev/">Playwright</a> end-to-end tests, while the <a href="https://github.com/github/github-mcp-server">GitHub MCP server</a> provides access to GitHub services like repositories, issues, and pull requests.</p>
<p>Let’s say, for instance, that you added the Playwright MCP server to your IDE. When you ask Copilot to create a new test to validate functionality on your website, Copilot can consult an authoritative source, allowing it to generate the best code it can.</p>
<p>You can even create your own MCP servers! One question I commonly hear is about how you can allow Copilot to look through an internal codebase or suite of libraries. With a custom MCP server, you could provide a facade for Copilot to perform these types of queries, then utilize the information discovered to suggest code based on your internal environment.</p>
<p>MCP is large enough to have its own blog post, which my colleague Cassidy wrote, sharing <a href="https://github.blog/ai-and-ml/llms/what-the-heck-is-mcp-and-why-is-everyone-talking-about-it/">tips, tricks, and insights about MCP</a>.</p>
<h2 class="wp-block-heading" id="thinking-beyond-prompts">Thinking beyond prompts</h2>
<p>Let me be clear: prompt crafting is important. It’s one of the first skills any developer should learn when they begin using GitHub Copilot. </p>
<p>But writing a good prompt is only one piece Copilot considers when generating an answer. By using the best practices highlighted above — comments and good code, custom instructions, and MCP servers — you can help Copilot understand what you want it to do and how you want it to do it. To bring it back to my analogy, you can ensure Copilot knows when you want waffles instead of omelettes.</p>
<p>And on that note, I’m off to brunch.</p>
<div class="wp-block-group post-content-cta has-global-padding is-layout-constrained wp-block-group-is-layout-constrained">
<p><strong>Get started</strong> with <a href="https://github.com/features/copilot">GitHub Copilot ></a></p>
</div>
</body></html>
<p>The post <a href="https://github.blog/ai-and-ml/github-copilot/beyond-prompt-crafting-how-to-be-a-better-partner-for-your-ai-pair-programmer/">Beyond prompt crafting: How to be a better partner for your AI pair programmer</a> appeared first on <a href="https://github.blog">The GitHub Blog</a>.</p>
]]></content:encoded>
<post-id xmlns="com-wordpress:feed-additions:1">89424</post-id> </item>
<item>
<title>Git security vulnerabilities announced</title>
<link>https://github.blog/open-source/git/git-security-vulnerabilities-announced-6/</link>
<dc:creator><![CDATA[Taylor Blau]]></dc:creator>
<pubDate>Tue, 08 Jul 2025 17:02:11 +0000</pubDate>
<category><![CDATA[Git]]></category>
<category><![CDATA[Open Source]]></category>
<category><![CDATA[security alert]]></category>
<guid isPermaLink="false">https://github.blog/?p=89409</guid>
<description><![CDATA[<p>Today, the Git project released new versions to address seven security vulnerabilities that affect all prior versions of Git.</p>
<p>The post <a href="https://github.blog/open-source/git/git-security-vulnerabilities-announced-6/">Git security vulnerabilities announced</a> appeared first on <a href="https://github.blog">The GitHub Blog</a>.</p>
]]></description>
<content:encoded><![CDATA[<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">
<html><body><p>Today, the Git project <a href="https://lore.kernel.org/git/xmqq5xg2wrd1.fsf@gitster.g/">released new versions</a> to address seven security vulnerabilities that affect all prior versions of Git.</p>
<h2 class="wp-block-heading" id="h-vulnerabilities-in-git">Vulnerabilities in Git</h2>
<h3 class="wp-block-heading" id="h-cve-2025-48384">CVE-2025-48384</h3>
<p>When reading a <a href="https://git-scm.com/book/en/v2/Customizing-Git-Git-Configuration">configuration</a> value, Git will strip any trailing carriage return (CR) and line feed (LF) characters. When writing a configuration value, however, Git does not quote trailing CR characters, causing them to be lost when they are read later on. When initializing a <a href="https://git-scm.com/docs/gitsubmodules">submodule</a> whose path contains a trailing CR character, the stripped path is used, causing the submodule to be checked out in the wrong place.</p>
<p>If a <a href="https://en.wikipedia.org/wiki/Symbolic_link">symlink</a> already exists between the stripped path and the submodule’s <a href="https://git-scm.com/docs/githooks">hooks</a> directory, an attacker can execute arbitrary code through the submodule’s <code>post-checkout</code> hook.</p>
<p>[<a href="https://github.com/git/git/compare/d2bc61fcabd6cfa582d286bed1ce20d5d7c58d52...05e9cd64ee23bbadcea6bcffd6660ed02b8eab89">source</a>]</p>
<h3 class="wp-block-heading" id="h-cve-2025-48385">CVE-2025-48385</h3>
<p>When cloning a repository, Git can optionally fetch a <a href="https://git-scm.com/docs/git-bundle">bundle</a>, allowing the server to offload a portion of the clone to a <a href="https://en.wikipedia.org/wiki/Content_delivery_network">CDN</a>. The Git client does not properly validate the advertised bundle(s), allowing the remote side to perform protocol injection. When a specially crafted bundle is advertised, the remote end can cause the client to write the bundle to an arbitrary location, which may lead to code execution similar to the previous CVE.</p>
<p>[<a href="https://github.com/git/git/compare/d61cfed2c23705fbeb9c0d08f59e75ee08738950...35cb1bb0b92c132249d932c05bbd860d410e12d4">source</a>]</p>
<h3 class="wp-block-heading" id="h-cve-2025-48386-windows-only">CVE-2025-48386 (Windows only)</h3>
<p>When cloning from an authenticated remote, Git uses a <a href="https://git-scm.com/docs/gitcredentials">credential helper</a> in order to authenticate the request. Git includes a handful of <a href="https://git-scm.com/doc/credential-helpers">credential helpers</a>, including <a href="https://github.com/git/git/tree/v2.43.7/contrib/credential/wincred">Wincred</a>, which uses the <a href="https://support.microsoft.com/en-us/windows/credential-manager-in-windows-1b5c916a-6a16-889f-8581-fc16e8165ac0">Windows Credential Manager</a> to store its credentials.</p>
<p>Wincred uses the contents of a static buffer as a unique key to store and retrieve credentials. However, it does not properly bounds check the remaining space in the buffer, leading to potential buffer overflows.</p>
<p>[<a href="https://github.com/git/git/compare/2d22f0cd07c308d7ff25bbf4ec8f1bb53b4bcda7...9de345cb273cc7faaeda279c7e07149d8a15a319">source</a>]</p>
<h1 class="wp-block-heading" id="h-vulnerabilities-in-git-gui-and-gitk">Vulnerabilities in Git GUI and Gitk</h1>
<p>This release resolves four new CVEs related to <a href="https://git-scm.com/docs/gitk">Gitk</a> and <a href="https://git-scm.com/docs/git-gui">Git GUI</a>. Both tools are <a href="https://en.wikipedia.org/wiki/Tcl">Tcl/Tk</a>-based graphical interfaces used to interact with Git repositories. Gitk is focused on showing a repository’s history, whereas Git GUI focuses on making changes to existing repositories.</p>
<h3 class="wp-block-heading" id="h-cve-2025-27613-gitk">CVE-2025-27613 (Gitk)</h3>
<p>When running Gitk in a specially crafted repository without additional command-line arguments, Gitk can write and truncate arbitrary writable files. The “Support per-file encoding” option must be enabled; however, the operation of “Show origin of this line” is affected regardless.</p>
<p>[<a href="https://github.com/git/git/compare/4e7e3b792e6973e09de6ddc191b86bbc245c53dd...67a128b91e25978a15f9f7e194d81b441d603652">source</a>]</p>
<h3 class="wp-block-heading" id="h-cve-2025-27614-gitk">CVE-2025-27614 (Gitk)</h3>
<p>If a user is tricked into running <code>gitk filename</code> (where <code>filename</code> has a particular structure), they may run arbitrary scripts supplied by the attacker, leading to arbitrary code execution.</p>
<p>[<a href="https://github.com/git/git/compare/664d4fa692cb8637a7c9297c94abf0de8593e585...8e3070aa5e331be45d4d03e3be41f84494fce129">source</a>]</p>
<h3 class="wp-block-heading" id="h-cve-2025-46334-git-gui-windows-only">CVE-2025-46334 (Git GUI, Windows only)</h3>
<p>If a malicious repository includes an executable <code>sh.exe</code>, or common <a href="https://git-scm.com/docs/gitattributes#_performing_text_diffs_of_binary_files">textconv</a> programs (for e.g.,  <code>astextplain</code>, <code>exif</code>, or <code>ps2ascii</code>), path lookup on Windows may locate these executables in the working tree. If a user running Git GUI in such a repository selects either the “Git Bash” or “Browse Files” from the menu, these programs may be invoked, leading to arbitrary code execution.</p>
<p>[<a href="https://github.com/git/git/compare/27fbab4898620183e608865beffd960139c04d58...a1ccd2512072cf52835050f4c97a4fba9f0ec8f9">source</a>]</p>
<h3 class="wp-block-heading" id="h-cve-2025-46335-git-gui">CVE-2025-46335 (Git GUI)</h3>
<p>When a user is tricked into editing a file in a specially named directory in an untrusted repository, Git GUI can create and overwrite arbitrary writable files, similar to CVE-2025-27613.</p>
<p>[<a href="https://github.com/git/git/compare/a7d1716fa648f6557ea9c91e0f04bae2e8738e6a...a437f5bc93330a70b42a230e52f3bd036ca1b1da">source</a>]</p>
<h2 class="wp-block-heading" id="h-upgrade-to-the-latest-git-version">Upgrade to the latest Git version</h2>
<p>The most effective way to protect against these vulnerabilities is to upgrade to Git 2.50.1, the newest release containing fixes for the aforementioned vulnerabilities. If you can’t upgrade immediately, you can reduce your risk by doing the following:</p>
<ul class="wp-block-list">
<li>Avoid running <code>git clone</code> with <code>--recurse-submodules</code> against untrusted repositories.</li>
<li>Disable auto-fetching bundle URIs by setting the <code>transfer.bundleURI</code> configuration value to “false.”</li>
<li>Avoid using the <code>wincred</code> credential helper on Windows.</li>
<li>Avoid running Gitk and Git GUI in untrusted repositories.</li>
</ul>
<p>In order to protect users against attacks related to these vulnerabilities, GitHub has taken proactive steps. Specifically, we have scheduled releases of <a href="https://github.com/apps/desktop">GitHub Desktop</a>. <a href="https://github.com/features/codespaces">GitHub Codespaces</a> and <a href="https://github.com/features/actions">GitHub Actions</a> will update their versions of Git shortly. GitHub itself, including <a href="https://github.com/enterprise">Enterprise Server</a>, is unaffected by these vulnerabilities.</p>
<hr class="wp-block-separator has-alpha-channel-opacity">
<p>CVE-2025-48384, CVE-2025-48385, and CVE-2025-48386 were discovered by <a href="https://github.com/dgl">David Leadbeater</a>. <a href="https://github.com/jltobler">Justin Tobler</a> and <a href="https://github.com/pks-t">Patrick Steinhardt</a> provided fixes for CVEs 2025-48384 and 2025-48385 respectively. The fix for CVE-2025-48386 is joint work between <a href="https://github.com/ttaylorr">Taylor Blau</a> and <a href="https://github.com/peff">Jeff King<br><br></a>CVE-2025-46835 was found and fixed by <a href="https://github.com/j6t">Johannes Sixt</a>. <a href="https://github.com/mark987">Mark Levedahl</a> discovered and fixed CVE-2025-46334. <a href="https://github.com/avih">Avi Halachmi</a> discovered both CVE-2025-27613 and CVE-2025-27614, and fixed the latter. CVE-2025-27613 was fixed by Johannes Sixt.</p>
</body></html>
<p>The post <a href="https://github.blog/open-source/git/git-security-vulnerabilities-announced-6/">Git security vulnerabilities announced</a> appeared first on <a href="https://github.blog">The GitHub Blog</a>.</p>
]]></content:encoded>
<post-id xmlns="com-wordpress:feed-additions:1">89409</post-id> </item>
<item>
<title>CVE-2025-53367: An exploitable out-of-bounds write in DjVuLibre</title>
<link>https://github.blog/security/vulnerability-research/cve-2025-53367-an-exploitable-out-of-bounds-write-in-djvulibre/</link>
<dc:creator><![CDATA[Kevin Backhouse]]></dc:creator>
<pubDate>Thu, 03 Jul 2025 20:52:20 +0000</pubDate>
<category><![CDATA[Security]]></category>
<category><![CDATA[Vulnerability research]]></category>
<category><![CDATA[CVE]]></category>
<category><![CDATA[GitHub Security Lab]]></category>
<category><![CDATA[linux]]></category>
<category><![CDATA[open source]]></category>
<guid isPermaLink="false">https://github.blog/?p=89368</guid>
<description><![CDATA[<p>DjVuLibre has a vulnerability that could enable an attacker to gain code execution on a Linux Desktop system when the user tries to open a crafted document.</p>
<p>The post <a href="https://github.blog/security/vulnerability-research/cve-2025-53367-an-exploitable-out-of-bounds-write-in-djvulibre/">CVE-2025-53367: An exploitable out-of-bounds write in DjVuLibre</a> appeared first on <a href="https://github.blog">The GitHub Blog</a>.</p>
]]></description>
<content:encoded><![CDATA[<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">
<html><body><p><a href="https://sourceforge.net/projects/djvu/">DjVuLibre</a> version 3.5.29 was released today. It fixes CVE-2025-53367 (GHSL-2025-055), an out-of-bounds (OOB) write in the <a href="https://sourceforge.net/p/djvu/djvulibre-git/ci/42029c33b2fb25bc1fa98c80b2be83a2fa23cce1/tree/libdjvu/MMRDecoder.cpp#l570"><code>MMRDecoder::scanruns</code></a> method. The vulnerability could be exploited to gain code execution on a Linux Desktop system when the user tries to open a crafted document.</p>
<p>DjVu is a document file format that can be used for similar purposes to PDF. It is supported by <a href="https://gitlab.gnome.org/GNOME/evince">Evince</a> and <a href="https://gitlab.gnome.org/GNOME/papers">Papers</a>, the default document viewers on many Linux distributions. In fact, even when a DjVu file is given a filename with a .pdf extension, Evince/Papers will automatically detect that it is a DjVu document and run DjVuLibre to decode it.</p>
<p>Antonio found this vulnerability while researching the Evince document reader. He found the bug with fuzzing.</p>
<p>Kev has developed a proof of concept exploit for the vulnerability, as demoed in this video.</p>
<figure class="wp-block-embed is-type-video is-provider-youtube wp-block-embed-youtube wp-embed-aspect-16-9 wp-has-aspect-ratio"><div class="wp-block-embed__wrapper">
<iframe title="CVE-2025-53367: Exploitable OOB write in DjVuLibre" width="500" height="281" src="https://www.youtube.com/embed/32kROHYhYVM?feature=oembed" frameborder="0" allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share" referrerpolicy="strict-origin-when-cross-origin" allowfullscreen></iframe>
</div></figure>
<p>The POC works on a fully up-to-date Ubuntu 25.04 (x86_64) with all the standard security protections enabled. To explain what’s happening in the video:</p>
<ol class="wp-block-list">
<li>Kev clicks on a malicious DjVu document in his <code>~/Downloads</code> directory.</li>
<li>The file is named <code>poc.pdf</code>, but it’s actually in DjVu format.</li>
<li>The default document viewer (<code>/usr/bin/papers</code>) loads the document, detects that it’s in DjVu format, and uses DjVuLibre to decode it.</li>
<li>The file exploits the OOB write vulnerability and triggers a call to <code>system("google-chrome https://www.youtube.com/…")</code>.</li>
<li>Rick Astley appears.</li>
</ol>
<p>Although the POC is able to bypass <a href="https://en.wikipedia.org/wiki/Address_space_layout_randomization">ASLR</a>, it’s somewhat unreliable: it’ll work 10 times in a row and then suddenly stop working for several minutes. But this is only a first version, and we believe it’s possible to create an exploit that’s significantly more reliable.</p>
<p>You may be wondering: why Astley, and not a calculator? That’s because <code>/usr/bin/papers</code> runs under an <a href="https://apparmor.net/">AppArmor</a> profile. The profile prohibits you from starting an arbitrary process but makes an exception for google-chrome. So it was easier to play a YouTube video than pop a calc. But the AppArmor profile is not particularly restrictive. For example, it lets you write arbitrary files to the user’s home directory, except for the really obvious one like <code>~/.bashrc</code>. So it wouldn’t prevent a determined attacker from gaining code execution.</p>
<h1 class="wp-block-heading" id="h-vulnerability-details">Vulnerability Details</h1>
<p>The <a href="https://sourceforge.net/p/djvu/djvulibre-git/ci/42029c33b2fb25bc1fa98c80b2be83a2fa23cce1/tree/libdjvu/MMRDecoder.cpp#l570"><code>MMRDecoder::scanruns</code></a> method is affected by an OOB-write vulnerability, because it doesn’t check that the <code>xr</code> pointer stays within the bounds of the allocated buffer.</p>
<p>During the decoding process, run-length encoded data is written into two buffers: <a href="https://sourceforge.net/p/djvu/djvulibre-git/ci/42029c33b2fb25bc1fa98c80b2be83a2fa23cce1/tree/libdjvu/MMRDecoder.h#l207"><code>lineruns</code></a> and <a href="https://sourceforge.net/p/djvu/djvulibre-git/ci/42029c33b2fb25bc1fa98c80b2be83a2fa23cce1/tree/libdjvu/MMRDecoder.h#l209"><code>prevruns</code></a>:</p>
<pre class="wp-block-code"><code>//libdjvu/MMRDecoder.h
class DJVUAPI MMRDecoder : public GPEnabled
{
...
public:
unsigned short *lineruns;
...
unsigned short *prevruns;
...
}</code></pre>
<p>The variables named <a href="https://sourceforge.net/p/djvu/djvulibre-git/ci/42029c33b2fb25bc1fa98c80b2be83a2fa23cce1/tree/libdjvu/MMRDecoder.cpp#l583"><code>pr</code></a> and <a href="https://sourceforge.net/p/djvu/djvulibre-git/ci/42029c33b2fb25bc1fa98c80b2be83a2fa23cce1/tree/libdjvu/MMRDecoder.cpp#l584"><code>xr</code></a> point to the current locations in those buffers. </p>
<p><code>scanruns</code> does not check that those pointers remain within the bounds of the allocated buffers.</p>
<pre class="wp-block-code"><code>//libdjvu/MMRDecoder.cpp
const unsigned short *
MMRDecoder::scanruns(const unsigned short **endptr)
{
...
// Swap run buffers
unsigned short *pr = lineruns;
unsigned short *xr = prevruns;
prevruns = pr;
lineruns = xr;
...
for(a0=0,rle=0,b1=*pr++;a0 < width;)
{
...
*xr = rle; xr++; rle = 0;
...
*xr = rle; xr++; rle = 0;
...
*xr = inc+rle-a0;
xr++;
}</code></pre>
<p>This can lead to writes beyond the allocated memory, resulting in a heap corruption condition. An out-of-bounds read with <code>pr</code> is also possible for the same reason.</p>
<p>We will publish the source code of our proof of concept exploit in a couple of weeks’ time in the <a href="https://github.com/github/securitylab">GitHub Security Lab repository</a>.</p>
<h1 class="wp-block-heading" id="h-acknowledgements">Acknowledgements</h1>
<p>We would like to thank Léon Bottou and Bill Riemers for responding incredibly quickly and releasing a fix less than two days after we first contacted them!</p>
<h1 class="wp-block-heading" id="h-timeline">Timeline</h1>
<ul class="wp-block-list">
<li>2025-07-01: Reported via email to the authors: Léon Bottou, Bill Riemers, Yann LeCun.</li>
<li>2025-07-01: Responses received from Bill Riemers and Léon Bottou.</li>
<li>2025-07-02: Fix commit added by Léon Bottou: <a href="https://sourceforge.net/p/djvu/djvulibre-git/ci/33f645196593d70bd5e37f55b63886c31c82c3da/">https://sourceforge.net/p/djvu/djvulibre-git/ci/33f645196593d70bd5e37f55b63886c31c82c3da/</a></li>
<li>2025-07-03: DjVuLibre version 3.5.29 released: <a href="https://sourceforge.net/p/djvu/www-git/ci/9748b43794440aff40bae066132aa5c22e7fd6a3/">https://sourceforge.net/p/djvu/www-git/ci/9748b43794440aff40bae066132aa5c22e7fd6a3/</a> </li>
</ul>
</body></html>
<p>The post <a href="https://github.blog/security/vulnerability-research/cve-2025-53367-an-exploitable-out-of-bounds-write-in-djvulibre/">CVE-2025-53367: An exploitable out-of-bounds write in DjVuLibre</a> appeared first on <a href="https://github.blog">The GitHub Blog</a>.</p>
]]></content:encoded>
<post-id xmlns="com-wordpress:feed-additions:1">89368</post-id> </item>
<item>
<title>5 ways to transform your workflow using GitHub Copilot and MCP</title>
<link>https://github.blog/ai-and-ml/github-copilot/5-ways-to-transform-your-workflow-using-github-copilot-and-mcp/</link>
<dc:creator><![CDATA[Klint Finley]]></dc:creator>
<pubDate>Wed, 02 Jul 2025 17:44:02 +0000</pubDate>
<category><![CDATA[AI & ML]]></category>
<category><![CDATA[GitHub Copilot]]></category>
<category><![CDATA[agent mode]]></category>
<category><![CDATA[MCP]]></category>
<guid isPermaLink="false">https://github.blog/?p=89268</guid>
<description><![CDATA[<p>Learn how to streamline your development workflow with five different MCP use cases. </p>
<p>The post <a href="https://github.blog/ai-and-ml/github-copilot/5-ways-to-transform-your-workflow-using-github-copilot-and-mcp/">5 ways to transform your workflow using GitHub Copilot and MCP</a> appeared first on <a href="https://github.blog">The GitHub Blog</a>.</p>
]]></description>
<content:encoded><![CDATA[<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">
<html><body><p>Traditional AI coding assistants typically operate in isolation, limited to the code in your current workspace. Now with the introduction of the Model Context Protocol (MCP), AI development workflows are further evolving to incorporate more tools and context. </p>
<p>MCP can enable AI assistants to interact with external systems like knowledge bases, data stores, and testing applications.</p>
<aside data-color-mode="light" data-dark-theme="dark" data-light-theme="light_dimmed" class="wp-block-group post-aside--large p-4 p-md-6 is-style-light-dimmed has-global-padding is-layout-constrained wp-block-group-is-layout-constrained is-style-light-dimmed--1" style="border-top-width:4px">
<h3 class="wp-block-heading h5-mktg gh-aside-title is-typography-preset-h5" id="h-what-is-mcp-anyway" style="margin-top:0">What is MCP, anyway?</h3>
<p>The Model Context Protocol (MCP) is an open standard developed by Anthropic that helps AI assistants like GitHub Copilot securely connect to external data sources and tools. MCP addresses a common challenge with Large Language Models (LLMs): providing the right context to generate accurate and useful responses. MCP standardizes how AI tools access external context—such as your codebase, documentation, or design specifications—and makes it easier to bring this context into your development workflow. For a deeper dive into MCP and why it’s gaining popularity, check out <a href="https://github.blog/ai-and-ml/llms/what-the-heck-is-mcp-and-why-is-everyone-talking-about-it/">Cassidy Williams’s article on the GitHub Blog</a>.</p>
</aside>
<p>The real value of MCP integration is that you can now perform tasks that previously required multiple tools, context switching, and manual effort—all directly in your IDE. That means you can save time, maintain focus, and ship code faster.</p>
<p>In this article, we’ll explore five practical ways MCP integrations with GitHub Copilot can streamline your workflow. We’ll follow a realistic scenario: implementing a secure JWT (JSON Web Token) authentication system for a web application, illustrating an end-to-end workflow with MCP.</p>
<p>Let’s jump in. </p>
<h2 class="wp-block-heading" id="1-using-mcp-to-bridge-design-and-development-with-figma">1. Using MCP to bridge design and development with Figma </h2>
<p>The gap between design and development has long been a source of friction in product teams. MCP provides a standardized way for GitHub Copilot to securely access and interpret design specifications directly. </p>
<p>Instead of manually translating design details into code, MCP enables Copilot to automatically retrieve exact design parameters—such as colors, spacing, typography, and component states—and generate accurate, ready-to-use code. This integration reduces guesswork and streamlines the handoff between designers and developers.</p>
<aside data-color-mode="light" data-dark-theme="dark" data-light-theme="light_dimmed" class="wp-block-group post-aside--large p-4 p-md-6 is-style-light-dimmed has-global-padding is-layout-constrained wp-block-group-is-layout-constrained is-style-light-dimmed--2" style="border-top-width:4px">
<h3 class="wp-block-heading h5-mktg gh-aside-title is-typography-preset-h5" id="h-explore-github-copilot-s-agentic-capabilities" style="margin-top:0">Explore GitHub Copilot’s agentic capabilities</h3>
<p>GitHub Copilot comes with two powerful agentic workflows that can be used with MCP:</p>
<ul class="wp-block-list">
<li><strong>Agent mode (in your IDE):</strong> Turn Copilot Chat into a real-time collaborator that works with you. Give it a goal (“add OAuth & tests”), and it plans, edits files, runs the suite, reads failures, fixes them, and loops until everything is green—all right in front of you, with the option to pause or steer at any step.</li>
<li><strong>Coding agent (in your GitHub projects)</strong>: Hand an Issue to Copilot and walk away. It spins up a protected workspace with GitHub Actions, writes code, runs linters/tests, and opens a pull request for you to review. Perfect for well-scoped tickets you’d give a junior dev (docs, tests, small refactors) while you stay focused elsewhere.<a href="https://github.blog/news-insights/product-news/github-copilot-meet-the-new-coding-agent/?utm_source=chatgpt.com"> </a></li>
</ul>
<p><strong>TL;DR: </strong>Think of Agent mode as a co-driver at your keyboard; the Coding agent is the valet that brings the finished work to your repo.</p>
<p><a href="https://github.blog/news-insights/product-news/from-pair-to-peer-programmer-our-vision-for-agentic-workflows-in-github-copilot/">Learn more ></a></p>
</aside>
<p>We’ll start developing our new JWT authentication system by taking a look at the user-facing side. Let’s say the design team updated the authentication UI components in Figma, including login forms, error states, loading spinners, and success messages. Now, you need to implement these changes to match the new design system.</p>
<p>Start by asking Copilot, “What are the latest design updates for the login form and authentication components?” It will then retrieve specs for the elements that need to change. Then you can prompt it to create React components for each element:</p>
<ul class="wp-block-list">
<li><code>LoginForm</code> with exact spacing, colors, typography</li>
<li><code>AuthErrorMessage</code> component with proper error styling</li>
<li><code>TokenRefreshNotification</code> component</li>
</ul>
<p>Copilot will then give you ready-to-use code that maintains consistency with the design specifications from Figma.</p>
<div class="wp-block-group post-content-cta has-global-padding is-layout-constrained wp-block-group-is-layout-constrained">
<p><strong><strong>Learn more </strong></strong>about <a href="https://help.figma.com/hc/en-us/articles/32132100833559-Guide-to-the-Dev-Mode-MCP-Server">Figma’s MCP server beta ></a></p>
</div>
<h2 class="wp-block-heading" id="2-tap-into-your-obsidian-knowledge-base-with-mcp">2. Tap into your Obsidian knowledge base with MCP</h2>
<p>When implementing complex features like JWT authentication, you often need to reference past decisions, architectural notes, and research findings scattered across your knowledge base. The unofficial, community-maintained Obsidian MCP server bridges this gap by connecting GitHub Copilot directly to your Obsidian vault.</p>
<p>Let’s say you’re implementing JWT token validation and need to understand your team’s previous security decisions. You tell Copilot: “Search for all files where JWT or token validation is mentioned and explain the context.”</p>
<p>With that, Copilot can:</p>
<ul class="wp-block-list">
<li>Search across all Markdown files in your vault for relevant security patterns</li>
<li>Retrieve contents from specific architecture decision records (ADR)</li>
<li>Access meeting notes from previous security reviews</li>
<li>Pull implementation guidelines from your team’s coding standards</li>
</ul>
<p>You might follow up with the following prompt: “Get the contents of the last architecture call note about authentication and summarize the key decisions.” Copilot will locate the relevant file and extract the critical information you need to inform your implementation approach.</p>
<p>Once you’ve gathered the necessary context, you can ask Copilot to synthesize this information: “Create a new note called ‘jwt-implementation-summary.md’ that combines our authentication standards with the new JWT approach.” Copilot will create this documentation directly in your vault, helping maintain your team’s knowledge base.</p>
<p><strong>Setup note</strong>: This integration requires the community “Obsidian Local REST API” plugin and an API key.</p>
<p>With your research complete and documented, you can proceed to test your application.</p>
<div class="wp-block-group post-content-cta has-global-padding is-layout-constrained wp-block-group-is-layout-constrained">
<p><strong>Learn more</strong> about <a href="https://github.com/MarkusPfundstein/mcp-obsidian">accessing Obsidian through MCP ></a></p>
</div>
<h2 class="wp-block-heading" id="3-test-your-code-with-playwright">3. Test your code with Playwright</h2>
<p>Integrating MCP with Playwright transforms test creation from a manual, error-prone process into a simple, guided experience.</p>
<p>Modern web applications often involve complex user journeys, asynchronous operations, and dynamic content. Authentication flows are particularly challenging to test comprehensively.</p>
<p>Continuing with our JWT authentication system, you need to test the complete authentication flow including login, token refresh, and secure route access. To do this, you’ll start by giving Copilot a prompt like this: “Test the JWT authentication flow including login, automatic token refresh, and access to protected routes.”</p>
<p>From there, Copilot will analyze your authentication implementation and generate comprehensive test coverage. But it doesn’t stop there. Copilot then runs the tests with Playwright and provides immediate feedback on failures, suggesting fixes for common issues, like timing problems or selector changes.</p>
<div class="wp-block-group post-content-cta has-global-padding is-layout-constrained wp-block-group-is-layout-constrained">
<p><strong>Learn more </strong>about the <a href="https://github.com/microsoft/playwright-mcp">Playwright MCP server ></a></p>
</div>
<h2 class="wp-block-heading" id="4-file-pull-requests-faster">4. File pull requests faster</h2>
<p>Pull requests are the cornerstone of collaborative development. GitHub’s remote MCP server, <a href="https://github.blog/changelog/2025-06-12-remote-github-mcp-server-is-now-available-in-public-preview/">now in public beta for VS Code or Visual Studio</a>, helps transform the process into an intelligent, automated workflow.</p>
<p>Turning back to our JWT authentication example, you can prompt Copilot: “Create a pull request for my authentication feature changes”</p>
<p>Copilot will then analyze:</p>
<ul class="wp-block-list">
<li>Code changes across multiple files  </li>
<li>Related issues and project context  </li>
<li>Team review patterns and expertise areas  </li>
<li>Previous similar implementations</li>
</ul>
<p>Copilot returns Markdown with an overview, changes made, a testing strategy, and even related issues.</p>
<p>It will then suggest appropriate reviewers for each aspect of the change based on code ownership, expertise mapping, and current workload.</p>
<p>Once your application is deployed, you can move on to monitoring it.</p>
<div class="wp-block-group post-content-cta has-global-padding is-layout-constrained wp-block-group-is-layout-constrained">
<p><strong>Get started</strong> with <a href="https://docs.github.com/en/copilot/tutorials/enhancing-copilot-agent-mode-with-mcp">GitHub’s MCP server ></a></p>
</div>
<h2 class="wp-block-heading" id="5-monitor-application-performance">5. Monitor application performance</h2>
<p>With the core authentication logic handled, now it’s time to ensure that our application performs well by monitoring how it behaves in production. Using MCP to connect to Grafana through the open-source Grafana MCP server makes this easier—though setup requires a few configuration steps.</p>
<p>Let’s say you need to analyze the JWT authentication system’s latency metrics and error rates. You tell Copilot: “Show me auth latency and error-rate panels for the auth-service dashboard for the last 6 hours.”</p>
<p>After configuring the Grafana MCP server with your API key and host URL, Copilot can then query your Grafana instance to:</p>
<ul class="wp-block-list">
<li>Examine authentication latency metrics and p95 response times</li>
<li>Analyze error rates for login endpoints over time</li>
<li>Review existing alert rules for authentication services</li>
<li>Identify patterns in failed authentication attempts</li>
</ul>
<p>Copilot returns panel data as base64-encoded images and can extract raw time-series data when needed. If you need a longer time range, you can specify: “Show me the same metrics for the last 24 hours” and Copilot will adjust the query parameters accordingly.</p>
<p>For more advanced monitoring workflows, you can enable write operations by launching the server with the <code>--enable-write</code> flag and an Editor-role API key. This allows Copilot to create new alert rules or modify dashboard configurations based on your authentication metrics analysis.</p>
<div class="wp-block-group post-content-cta has-global-padding is-layout-constrained wp-block-group-is-layout-constrained">
<p><strong>Learn more </strong>about the <a href="https://github.com/grafana/mcp-grafana">Grafana MCP server ></a></p>
</div>
<h2 class="wp-block-heading" id="whats-next">What’s next?</h2>
<p>Before diving into these powerful integrations, you’ll need to configure your development environment. Here’s how:</p>
<ol class="wp-block-list">
<li><strong>Install MCP extensions</strong>: Enable MCP support in your IDE through official extensions</li>
<li><strong>Configure API access</strong>: Set up authentication for each service (GitHub, Obsidian, Figma, etc.)</li>
<li><strong>Define context boundaries</strong>: Establish what information should be accessible to AI</li>
<li><strong>Security considerations</strong>: Implement proper access controls and data privacy measures</li>
</ol>
<p>A few best practices:</p>
<ul class="wp-block-list">
<li><strong>Start small</strong>: Begin with one integration and gradually expand your usage</li>
<li><strong>Maintain documentation</strong>: Keep your knowledge bases and documentation current for optimal AI assistance</li>
<li><strong>Regularly review Copilot’s outputs</strong>: Periodically audit AI-generated suggestions to ensure quality and security</li>
<li><strong>Build team alignment</strong>: Ensure your team understands and adopts consistent MCP usage patterns</li>
</ul>
<p>The five integration patterns we’ve explored represent just the beginning of what’s possible. As MCP’s ecosystem grows, new tools and integrations will continue to expand what’s possible.</p>
<div class="wp-block-group post-content-cta has-global-padding is-layout-constrained wp-block-group-is-layout-constrained">
<p><strong>Get started</strong> with our <a href="https://docs.github.com/en/copilot/tutorials/enhancing-copilot-agent-mode-with-mcp">remote MCP server ></a></p>
</div>
</body></html>
<p>The post <a href="https://github.blog/ai-and-ml/github-copilot/5-ways-to-transform-your-workflow-using-github-copilot-and-mcp/">5 ways to transform your workflow using GitHub Copilot and MCP</a> appeared first on <a href="https://github.blog">The GitHub Blog</a>.</p>
]]></content:encoded>
<post-id xmlns="com-wordpress:feed-additions:1">89268</post-id> </item>
<item>
<title>From idea to PR: A guide to GitHub Copilot’s agentic workflows</title>
<link>https://github.blog/ai-and-ml/github-copilot/from-idea-to-pr-a-guide-to-github-copilots-agentic-workflows/</link>
<dc:creator><![CDATA[Chris Reddington]]></dc:creator>
<pubDate>Tue, 01 Jul 2025 18:57:22 +0000</pubDate>
<category><![CDATA[AI & ML]]></category>
<category><![CDATA[GitHub Copilot]]></category>
<category><![CDATA[agentic AI]]></category>
<category><![CDATA[generative AI]]></category>
<guid isPermaLink="false">https://github.blog/?p=89198</guid>
<description><![CDATA[<p>A practical guide to GitHub Copilot’s agentic coding agent, chat modes, and remote MCP server so you turn issues into tested PRs with clear steps (and no hype).</p>
<p>The post <a href="https://github.blog/ai-and-ml/github-copilot/from-idea-to-pr-a-guide-to-github-copilots-agentic-workflows/">From idea to PR: A guide to GitHub Copilot’s agentic workflows</a> appeared first on <a href="https://github.blog">The GitHub Blog</a>.</p>
]]></description>
<content:encoded><![CDATA[<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">
<html><body><p>I got into software to ship ideas, not to chase down hard-coded strings after a late-breaking feature request. Unfortunately, many of our day-to-day tasks as developers involve branches working on boilerplate code, refactoring, and the “pre-work” to get to the fun stuff: shipping new features.</p>
<p>So I turned to Copilot’s agentic workflows to help speed along some of that grunt work. In my latest <strong>Rubber Duck Thursdays</strong> live stream, I put that theory to the test in a project where I wanted to localize an application that used:</p>
<ul class="wp-block-list">
<li><strong>Tech stack:</strong> a <strong>Next.js</strong> web app and a matching <strong>SwiftUI</strong> iOS app living in two separate GitHub repos.</li>
<li><strong>Environment:</strong> spun up rapidly in <strong>Codespaces</strong> (on-demand dev environment) and <strong>Xcode 16</strong> for the mobile portion.</li>
<li><strong>Task:</strong> an issue built from a couple of paragraphs to “Add English, French, and Spanish localization.”</li>
<li><strong>Copilot tools:</strong> <a href="https://docs.github.com/en/copilot/concepts/about-assigning-tasks-to-copilot"><strong>coding agent</strong></a> (to turn that issue into a PR), a <a href="https://code.visualstudio.com/docs/copilot/chat/chat-modes#_chat-mode-file-example">custom <strong>planning chat mode</strong></a><strong> </strong>(to try out the new preview capabilities in VS Code), and the new <strong>remote </strong><a href="https://github.com/github/github-mcp-server?tab=readme-ov-file#usage-with-vs-code"><strong>GitHub MCP server</strong></a> (so we can avoid managing those dependencies in our dev environment).</li>
</ul>
<p>By the end of my stream, that idea became a GitHub issue, which turned into a fully tested, review-ready PR while I fielded chat questions, and learned about the preview custom chat mode features in VS Code.</p>
<p>Let’s dive in.</p>
<figure class="wp-block-embed is-type-video is-provider-youtube wp-block-embed-youtube wp-embed-aspect-16-9 wp-has-aspect-ratio"><div class="wp-block-embed__wrapper">
<iframe loading="lazy" title="Rubber Duck Thursdays - Let's build" width="500" height="281" src="https://www.youtube.com/embed/UXAbtYbxD_w?feature=oembed" frameborder="0" allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share" referrerpolicy="strict-origin-when-cross-origin" allowfullscreen></iframe>
</div></figure>
<h2 class="wp-block-heading" id="h-why-i-use-agentic-workflows">Why I use agentic workflows</h2>
<p>Even seasoned developers and teams still burn hours on jobs like:</p>
<ul class="wp-block-list">
<li>Turning vague requests into well-scoped issues</li>
<li>Hunting down every file in a cross-cutting refactor</li>
<li>Writing the same unit-test scaffolding again and again</li>
</ul>
<p>Copilot’s ability to create issues, along with its coding agent, custom chat modes in VS Code, and the new remote MCP backend fold those chores into one tight loop—issue to PR—while you stay firmly in the driver’s seat. You still review, tweak, and decide when to merge, but you skip the drudgery.</p>
<h2 class="wp-block-heading" id="h-key-capabilities-covered-in-this-livestream-nbsp">Key capabilities covered in this livestream </h2>
<figure class="wp-block-table"><table class="has-fixed-layout"><thead><tr><th><strong>Capability</strong></th><th><strong>What it does</strong></th><th><strong>Why it matters</strong></th><th><strong>How to enable and use it</strong></th></tr></thead><tbody><tr><td>Coding agent</td><td>Turns any GitHub Issue you assign to Copilot into a PR, and works on that task asynchronously.</td><td>Allows you to offload the boilerplate work while you focus on reviews and edge case logic.</td><td><a href="https://docs.github.com/en/copilot/how-tos/agents/copilot-coding-agent/enabling-copilot-coding-agent">Learn how to enable Copilot coding agent</a>. </td></tr><tr><td>Create issues with Copilot</td><td>Converts a natural-language prompt into a well-structured Issue with title, body, acceptance criteria, and file hints.</td><td>Saves PM/eng refining and sets team members, or Copilot coding agent, up with the context they need to work effectively.</td><td>Navigate to <a href="http://github.com/copilot">github.com/copilot</a> and write a prompt to create an issue. <a href="https://docs.github.com/en/copilot/how-tos/github-flow/using-github-copilot-to-create-issues">Learn more about using Copilot to create issues.</a></td></tr><tr><td>Custom chat modes (in preview in VS Code)</td><td>Lets you script repeatable AI workflows (e.g., <em>Planning</em>, <em>Refactor</em>, <em>Test-Writer</em>) that appear alongside the default <em>Ask</em> / <em>Edit</em> / <em>Agent</em> chat modes.</td><td>Allows you to package instructions and relevant tools for easier use, helping your team follow similar conventions.</td><td>Add a <code>.chatmode.md</code> file to your repo; available in preview in VS Code release 1.101. <a href="https://code.visualstudio.com/docs/copilot/chat/chat-modes#_custom-chat-modes">Learn more about custom chat modes in VS Code</a>.<br></td></tr><tr><td>Remote GitHub MCP Server</td><td>Allows AI tools to access live GitHub context and tools, like issues, pull requests and code files. With the remote GitHub MCP server, you don’t need to install it locally, and can even authenticate with OAuth 2.0.</td><td>Provides a smooth experience to accessing the GitHub MCP server, reducing the management overhead of a local server.</td><td>Update your MCP configuration with <a href="https://github.com/github/github-mcp-server?tab=readme-ov-file#usage-with-vs-code">the example shown in the remote GitHub MCP Server documentation</a>. </td></tr><tr><td>Copilot agent mode</td><td>Copilot agent mode is a real‑time collaborator that sits in your editor, works with you, and edits files based on your needs. Unlike the coding agent, Copilot agent mode works synchronously with you.</td><td>Think of agent mode as the senior dev pair programming with you. It has access to several tools (like reading/writing code, running commands in the terminal, executing tools on MCP servers), and works alongside you.</td><td>Copilot agent mode is available in several IDEs including <a href="https://code.visualstudio.com/docs/copilot/chat/chat-agent-mode">VS Code</a>, <a href="https://learn.microsoft.com/en-us/visualstudio/ide/copilot-agent-mode?view=vs-2022">Visual Studio</a>, <a href="https://plugins.jetbrains.com/plugin/17718-github-copilot">JetBrains</a> (public preview), <a href="https://marketplace.eclipse.org/content/github-copilot">Eclipse</a> (public preview) and <a href="https://github.com/github/copilotforXcode/">Xcode</a> (public preview).</td></tr></tbody></table></figure>
<h2 class="wp-block-heading" id="h-what-you-need-to-achieve-a-similar-outcome">What you need to achieve a similar outcome</h2>
<ol class="wp-block-list">
<li>A GitHub repo you can push to</li>
<li>A Copilot subscription with <strong>coding agent</strong> enabled. (Did you know it’s now available for all paid tiers of GitHub Copilot including <a href="https://github.blog/changelog/2025-06-24-github-copilot-coding-agent-is-now-available-for-copilot-business-users/">Copilot Business</a> and <a href="https://github.blog/changelog/2025-06-25-github-copilot-coding-agent-is-available-for-copilot-pro-users-in-public-preview/">Copilot Pro</a>?)</li>
<li>VS Code 1.101+ with the latest Copilot extension.</li>
<li>Either: <strong>GitHub Remote MCP server</strong> (update your MCP configuration), or a local GitHub MCP server.</li>
</ol>
<h2 class="wp-block-heading" id="h-walk-through-localizing-a-next-js-app">Walk-through: localizing a Next.js app</h2>
<p>Here’s the exact flow I demoed on the most recent <em>Rubber Duck Thursdays</em> stream.</p>
<h3 class="wp-block-heading" id="h-1-capture-the-request-as-a-github-issue">1. Capture the request as a GitHub Issue</h3>
<p>Go to the <a href="https://github.com/copilot">immersive view of Copilot Chat</a>. At the bottom of the page, in the “Ask Copilot” box, describe what you want. For example, below is the prompt that I used. </p>
<pre class="wp-block-code language-plaintext"><code>Create a GitHub Issue that brings i11n capability to the application. We must support English, French and Spanish.
The user must be able to change their language in their profile page. When they change the language, it must apply immediately across the site.
Please include an overview/problem statement in the issue, a set of acceptance criteria, and pointers on which files need updating/creating.</code></pre>
<p>Copilot drafts that into an issue, which includes a title, acceptance criteria, and a loose action plan. From there, you can assign that issue to Copilot, and let it cook in the background. </p>
<figure class="wp-block-embed is-type-video is-provider-youtube wp-block-embed-youtube wp-embed-aspect-16-9 wp-has-aspect-ratio"><div class="wp-block-embed__wrapper">
<iframe loading="lazy" title="Create an Issue with GitHub Copilot" width="500" height="281" src="https://www.youtube.com/embed/QtVr1SjLYzA?feature=oembed" frameborder="0" allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share" referrerpolicy="strict-origin-when-cross-origin" allowfullscreen></iframe>
</div></figure>
<h3 class="wp-block-heading" id="h-2-let-the-coding-agent-turn-the-issue-into-a-pr">2. Let the coding agent turn the issue into a PR</h3>
<p>Shortly after assignment, the coding agent:</p>
<ol class="wp-block-list">
<li>Creates a branch</li>
<li>Starts a new session. If you <a href="https://docs.github.com/en/copilot/how-tos/agents/copilot-coding-agent/customizing-the-development-environment-for-copilot-coding-agent">have a copilot-setup-steps.yml configured</a>, then a development environment will be configured before Copilot gets to work.</li>
<li>Reviews the task at hand, explores the current state of the codebase, and forms a plan to complete the task.</li>
<li>If you have <a href="https://docs.github.com/en/copilot/how-tos/agents/copilot-coding-agent/best-practices-for-using-copilot-to-work-on-tasks#adding-custom-instructions-to-your-repository">any custom instructions configured</a>, then the coding agent will also use those as context. For example, we specify that npm run lint and npm run test should pass before committing.</li>
<li>Once complete, it opens a draft PR for your review.</li>
</ol>
<p>While that runs, you can keep coding, use it as an opportunity to learn (like we learned about custom chat modes) or grab a coffee.</p>
<h3 class="wp-block-heading" id="h-3-review-the-pr-like-you-normally-would">3. Review the PR like you normally would</h3>
<p>Whether it’s a colleague, collaborator, or Copilot writing the code, you still need a reviewer. So it’s important to make sure you look the code over carefully, just like you would any other pull request.</p>
<ol class="wp-block-list">
<li>Start by reviewing the body of the pull request, which Copilot will have helpfully kept up to date.</li>
<li>Then, review the code changes in the files changed tab, understanding what has changed and why. I also like to take a look at the coding agent session to understand the approach Copilot took to solving the problem.</li>
<li>Once you are comfortable, you may want to try the code out manually in a GitHub Codespace. Or, you may want to run any existing CI checks through your GitHub Actions workflows. But again, make sure you have carefully reviewed the code before executing it.</li>
<li>All being well, you will have green check marks being returned from your CI. </li>
</ol>
<p>However, there’s always a possibility that you encounter failures, or spot some changes in your manual testing. For example, I spotted some hard-coded strings that the agent hadn’t addressed. Once again, we approach this just like we would any other pull request. We can post our feedback in a comment. For example, here’s the comment I used:</p>
<p>That’s a great start. However, there are a lot of pages which are hardcoded in English still. For example, the flight search/bookings page, the check reservation page. Can you implement the localization on those pages, please?</p>
<p>Copilot will react to the comment once again, and get to work in another session. </p>
<h2 class="wp-block-heading" id="h-level-up-your-workflows-with-custom-chat-modes">Level up your workflows with custom chat modes</h2>
<p>If you’re using VS Code as your daily driver with GitHub Copilot, then you’re probably used to the <a href="https://github.blog/ai-and-ml/github-copilot/copilot-ask-edit-and-agent-modes-what-they-do-and-when-to-use-them/">ask, edit and agent chat modes</a>. But in the <a href="https://code.visualstudio.com/updates/v1_101">VS Code 1.101 release</a>, the team has added custom chat modes in preview. This allows you to package instructions and relevant tools for easier use. For example, I built upon <a href="https://code.visualstudio.com/docs/copilot/chat/chat-modes#_chat-mode-file-example">the VS Code team’s “Plan” chat mode example</a>:</p>
<ol class="wp-block-list">
<li>Open the command palette in Visual Studio Code</li>
<li>Type <strong>Configure Chat Modes</strong></li>
<li>Select <strong>Create new custom chat mode file</strong>.<strong> </strong>You’ll be asked to save it either in the workspace (to allow collaborating with others), or in the local user data folder (for your use). We opted for the workspace option.</li>
<li>Enter the name. This is the name that will appear in the chat mode selection box, so pay attention to any capitalization.</li>
<li>You should see a new file has been created with the extension <code>.chatmode.md</code>. This is where you can configure the instructions, and the available tools for your new custom chat mode.</li>
</ol>
<figure class="wp-block-embed is-type-video is-provider-youtube wp-block-embed-youtube wp-embed-aspect-16-9 wp-has-aspect-ratio"><div class="wp-block-embed__wrapper">
<iframe loading="lazy" title="GitHub Copilot Chat in VS Code" width="500" height="281" src="https://www.youtube.com/embed/v5Wqs7s5scg?feature=oembed" frameborder="0" allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share" referrerpolicy="strict-origin-when-cross-origin" allowfullscreen></iframe>
</div></figure>
<p>Below is the example that we used in the livestream, slightly modified from the VS Code team’s docs example. We’ve added the create_issue tool to the list of allowed tools, adjusted our expectations of what’s included in the issue and added an instruction about creating the issue with the `create_issue` tool once revisions are complete and approved by the user.</p>
<pre class="wp-block-code language-plaintext"><code>---
description: Generate an implementation plan for new features or refactoring existing code.
tools: ['codebase', 'fetch', 'findTestFiles', 'githubRepo', 'search', 'usages', 'github', 'create_issue']
---
# Planning mode instructions
You are in planning mode. Your task is to generate an implementation plan for a new feature or for refactoring existing code.
Don't make any code edits, just generate a plan.
The plan consists of a Markdown document that describes the implementation plan, including the following sections:
* Overview: A brief description of the feature or refactoring task.
* Requirements: A list of requirements for the feature or refactoring task.
* Implementation Steps: A detailed list of steps to implement the feature or refactoring task.
* Testing: A list of tests that need to be implemented to verify the feature or refactoring task.
Once the plan is complete, ask the user if they would like to create a GitHub issue for this implementation plan. If they respond affirmatively, proceed to create the issue using the `create_issue` tool.</code></pre>
<p>When the file is available in your teammate’s local repositories (so they’ve pulled the changes locally), VS Code surfaces the mode in the chat dropdown, allowing you to configure chat modes that are consistent and convenient across your team.</p>
<h2 class="wp-block-heading" id="h-remote-mcp-removing-the-local-setup">Remote MCP: removing the local setup</h2>
<p>You may be used to running MCP locally through npm packages or as docker containers. However, remote MCP servers allow you to reduce the management overhead of running these tools locally. There may be other benefits too. For example, the remote GitHub MCP Servers allows you to authenticate using OAuth 2.0 instead of Personal Access Tokens.</p>
<p>To use the GitHub Remote MCP Server in VS Code, you’ll need to update the MCP configuration. You can find the instructions on how to do that <a href="https://github.com/github/github-mcp-server?tab=readme-ov-file#remote-github-mcp-server">in the GitHub MCP Server repository</a>.</p>
<figure class="wp-block-table"><table class="has-fixed-layout"><tbody><tr><td>💡 <strong>Note:</strong> Did you know that <a href="https://github.com/github/github-mcp-server">the GitHub MCP Server is open source</a>? Take a look through the codebase or raise an issue. Who knows? Maybe you’ll even end up becoming a contributor!</td></tr></tbody></table></figure>
<figure class="wp-block-embed is-type-video is-provider-youtube wp-block-embed-youtube wp-embed-aspect-16-9 wp-has-aspect-ratio"><div class="wp-block-embed__wrapper">
<iframe loading="lazy" title="GitHub Remote MCP Server" width="500" height="281" src="https://www.youtube.com/embed/IZ0UICnVQwU?feature=oembed" frameborder="0" allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share" referrerpolicy="strict-origin-when-cross-origin" allowfullscreen></iframe>
</div></figure>
<h2 class="wp-block-heading" id="h-going-mobile-copilot-agent-mode-in-xcode">Going mobile: Copilot agent mode in Xcode</h2>
<p>While we didn’t show it in depth, I quickly walked through one of my previous agent mode sessions in Xcode. It showed how I gave a similar prompt to Copilot, asking to add internationalization to the app, which we were able to see in the main navigation bar of the app running in the simulator.</p>
<pre class="wp-block-code language-plaintext"><code>We need to implement internationalization in the app. Please make the following changes:
1. The user can select from suported languages (English, Spanish, French) from a dropdown in their profile.
2. The main tab view should support internationalization. No other parts of the app should be changed for now.
3. When the user changes the language, it should update the rendered text instantly.</code></pre>
<h2 class="wp-block-heading" id="h-dos-and-don-ts">Dos and don’ts</h2>
<figure class="wp-block-table"><table class="has-fixed-layout"><thead><tr><th><strong>✅ Do</strong></th><th><strong>❌ Don’t</strong></th></tr></thead><tbody><tr><td>Keep issues tightly scoped</td><td>Ask the agent to “re-architect the app”</td></tr><tr><td>Provide acceptance criteria</td><td>Assume the agent knows your intent</td></tr><tr><td>Carefully review the changes made</td><td>Execute code or merge a PR without a review</td></tr><tr><td>Iterate with Copilot. How often do you get something right on the first shot?</td><td>Expect perfection first time</td></tr></tbody></table></figure>
<h2 class="wp-block-heading" id="h-try-it-yourself">Try it yourself</h2>
<ul class="wp-block-list">
<li><a href="https://docs.github.com/en/copilot/how-tos/agents/copilot-coding-agent/enabling-copilot-coding-agent">Enable Copilot coding agent</a> and assign work to Copilot in the background.</li>
<li><a href="https://code.visualstudio.com/docs/copilot/chat/chat-modes#_custom-chat-modes">Configure custom chat modes</a> in VS Code Release 1.101.</li>
<li><a href="https://github.com/github/github-mcp-server?tab=readme-ov-file#remote-github-mcp-server">Configure the Remote GitHub MCP server</a> to reduce local management efforts.</li>
<li>Use Copilot agent mode in <a href="https://code.visualstudio.com/docs/copilot/chat/chat-agent-mode">VS Code</a>, <a href="https://learn.microsoft.com/en-us/visualstudio/ide/copilot-agent-mode?view=vs-2022">Visual Studio</a>, <a href="https://plugins.jetbrains.com/plugin/17718-github-copilot">JetBrains</a> (public preview), <a href="https://marketplace.eclipse.org/content/github-copilot">Eclipse</a> (public preview) and <a href="https://github.com/github/copilotforXcode/">Xcode</a> (public preview).</li>
</ul>
<h2 class="wp-block-heading" id="h-next-steps">Next steps</h2>
<ul class="wp-block-list">
<li><a href="https://www.youtube.com/watch?v=UXAbtYbxD_w"><strong>Watch the full replay</strong> of the stream</a> for a step-by-step walkthrough.</li>
<li>Dive into the Copilot coding agent and MCP docs for more details.</li>
<li>Tell me what you automate first—let us know on social by tagging <code>@github</code> with what you’ve been working on!</li>
<li><a href="https://gh.io/rubberduckthursdays">Join us for the next episode of Rubber Duck Thursdays</a>.</li>
</ul>
<p>Agentic workflows within GitHub Copilot aren’t magic; they’re tools. When a single click can help reduce technical debt (or knock out any other repetitive task you dread), why not let Copilot handle the boilerplate while you tackle the more challenging, fun, and creative problems?</p>
</body></html>
<p>The post <a href="https://github.blog/ai-and-ml/github-copilot/from-idea-to-pr-a-guide-to-github-copilots-agentic-workflows/">From idea to PR: A guide to GitHub Copilot’s agentic workflows</a> appeared first on <a href="https://github.blog">The GitHub Blog</a>.</p>
]]></content:encoded>
<post-id xmlns="com-wordpress:feed-additions:1">89198</post-id> </item>
<item>
<title>Understand your software’s supply chain with GitHub’s dependency graph</title>
<link>https://github.blog/security/supply-chain-security/understand-your-softwares-supply-chain-with-githubs-dependency-graph/</link>
<dc:creator><![CDATA[Andrea Griffiths]]></dc:creator>
<pubDate>Tue, 01 Jul 2025 16:00:00 +0000</pubDate>
<category><![CDATA[Security]]></category>
<category><![CDATA[Supply chain security]]></category>
<category><![CDATA[Dependabot]]></category>
<category><![CDATA[dependency graph]]></category>
<category><![CDATA[supply chain]]></category>
<guid isPermaLink="false">https://github.blog/?p=89188</guid>
<description><![CDATA[<p>The GitHub dependency graph maps every direct and transitive dependency in your project, so you can identify risks, prioritize fixes, and keep your code secure.</p>
<p>The post <a href="https://github.blog/security/supply-chain-security/understand-your-softwares-supply-chain-with-githubs-dependency-graph/">Understand your software’s supply chain with GitHub’s dependency graph</a> appeared first on <a href="https://github.blog">The GitHub Blog</a>.</p>
]]></description>
<content:encoded><![CDATA[<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">
<html><body><p>What if you could spot the weakest link in your software supply chain before it breaks?</p>
<p>With GitHub’s <a href="https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-the-dependency-graph">dependency graph</a>, you can. By providing a clear, complete view of the external packages your code depends on, both directly and indirectly, it allows you to understand, secure, and manage your project’s true footprint.</p>
<p>If you’re like me and sometimes lose track of what’s actually powering your applications (we’ve all been there!), GitHub’s dependency graph is about to become your new best friend. </p>
<h2 class="wp-block-heading" id="h-what-is-the-dependency-graph">What is the dependency graph?</h2>
<p>Here’s the thing: Every modern software project is basically an iceberg. That small manifest file with your direct dependencies seems quite harmless at first glance. But underneath? There’s this massive, hidden world of transitive dependencies that most of us never think about. The GitHub dependency graph maps this entire underwater world. Think of it like a family tree, but for your code. Each package is a family member, and each dependency relationship shows who’s related to whom (and trust me, some of these family trees get <em>really</em> complicated).</p>
<p>Each package is a node. Each dependency relationship is an edge. The result? A full visual and structured representation of your software’s external codebase.</p>
<blockquote class="wp-block-quote is-layout-flow wp-block-quote-is-layout-flow">
<p>In some cases, 95–97% of your code is actually someone else’s. The dependency graph helps you make sense of that reality.</p>
<cite>GitHub engineer <a href="https://github.com/ahpook">Eric Sorenson</a></cite></blockquote>
<p>Let that sink in for a moment. We’re basically curators of other people’s work, and the dependency graph finally helps us make sense of that reality.</p>
<h2 class="wp-block-heading" id="h-why-it-matters">Why it matters</h2>
<p>When vulnerabilities are discovered in open source packages, the consequences ripple downstream. If you don’t know a vulnerable dependency is part of your project, it’s hard to take action.</p>
<p>The dependency graph isn’t just a cool visualization (though it is pretty neat to look at). It’s the foundation that makes <a href="https://github.com/dependabot">Dependabot</a> alerts possible. When a security issue is found in any of your dependencies (even a transitive one), GitHub notifies you. You get the full picture of what’s in your supply chain, how it got there, and what you can actually do about it.</p>
<h2 class="wp-block-heading" id="h-see-it-in-action-from-21-to-1-000-dependencies">See it in action: From 21 to 1,000 dependencies</h2>
<figure class="wp-block-embed is-type-video is-provider-youtube wp-block-embed-youtube wp-embed-aspect-16-9 wp-has-aspect-ratio"><div class="wp-block-embed__wrapper">
<iframe loading="lazy" title="How 21 dependencies become 1,000: Understanding your software supply chain | GitHub Checkout" width="500" height="281" src="https://www.youtube.com/embed/gGQXIfLNmB0?feature=oembed" frameborder="0" allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share" referrerpolicy="strict-origin-when-cross-origin" allowfullscreen></iframe>
</div></figure>
<p>Eric showed us a project that looked innocent enough:</p>
<ul class="wp-block-list">
<li><strong>21 direct dependencies</strong> (the ones actually listed in package.json)</li>
<li><strong>1,000 total dependencies</strong> (including everything that got pulled in along the way)</li>
</ul>
<p>With the dependency graph, you can finally:</p>
<ul class="wp-block-list">
<li><strong>Understand which dependencies are direct vs. transitive</strong></li>
<li><strong>Trace how a package like Log4j ended up in your codebase.</strong> (Spoiler: it probably came along for the ride with something else.)</li>
<li><strong>Know what’s yours to fix and what depends on an upstream maintainer</strong></li>
</ul>
<h2 class="wp-block-heading" id="h-tighten-your-supply-chain-with-dependabot">Tighten your supply chain with Dependabot</h2>
<p>Dependabot runs on top of the dependency graph—so enabling the graph is what makes Dependabot’s vulnerability alerts and automatic fix suggestions possible. </p>
<p>Pro tip: Filter for direct dependencies first. These are the ones you can actually control, so focus your energy there instead of pulling your hair out over transitive dependencies that are someone else’s responsibility.</p>
<h2 class="wp-block-heading" id="h-how-to-enable-the-dependency-graph">How to enable the dependency graph</h2>
<p>You can enable the dependency graph in your repository settings under <strong>Security > Dependency Graph</strong>. If you turn on <strong>Dependabot</strong>, the graph will be enabled automatically.</p>
<p>Using GitHub Actions? Community-maintained actions can generate a Software Bill of Materials (SBOM) and submit it to GitHub’s Dependency submission API, even if your language ecosystem doesn’t support auto-discovery.</p>
<p>✅ <strong>The best part?</strong> Dependency graph and Dependabot alerts are free for all repositories.</p>
<h2 class="wp-block-heading" id="h-tl-dr">TL;DR</h2>
<p>You can’t secure what you can’t see. GitHub’s dependency graph gives you visibility into the 90%+ of your codebase that comes from open source libraries and helps you take action when it counts.</p>
<ul class="wp-block-list">
<li><strong>Enable it today </strong>(seriously, do it now)</li>
<li><strong>Use it with Dependabot for automated alerts and fixes</strong></li>
<li><strong>Finally discover what’s actually in your software supply chain</strong></li>
</ul>
<p>Your future self (and your security team) will thank you.</p>
<div class="wp-block-group post-content-cta has-global-padding is-layout-constrained wp-block-group-is-layout-constrained">
<p>Want to learn more about the GitHub dependency graph? <a href="https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-the-dependency-graph">Explore the documentation ></a></p>
</div>
</body></html>
<p>The post <a href="https://github.blog/security/supply-chain-security/understand-your-softwares-supply-chain-with-githubs-dependency-graph/">Understand your software’s supply chain with GitHub’s dependency graph</a> appeared first on <a href="https://github.blog">The GitHub Blog</a>.</p>
]]></content:encoded>
<post-id xmlns="com-wordpress:feed-additions:1">89188</post-id> </item>
<item>
<title>GitHub Advisory Database by the numbers: Known security vulnerabilities and what you can do about them</title>
<link>https://github.blog/security/github-advisory-database-by-the-numbers-known-security-vulnerabilities-and-what-you-can-do-about-them/</link>
<dc:creator><![CDATA[Jonathan Evans]]></dc:creator>
<pubDate>Fri, 27 Jun 2025 16:00:00 +0000</pubDate>
<category><![CDATA[Security]]></category>
<category><![CDATA[CNA]]></category>
<category><![CDATA[Community Contribution]]></category>
<category><![CDATA[CVE]]></category>
<category><![CDATA[CVE Numbering Authority]]></category>
<category><![CDATA[CVSS]]></category>
<category><![CDATA[CWE]]></category>
<category><![CDATA[EPSS]]></category>
<category><![CDATA[GitHub Security Lab]]></category>
<category><![CDATA[open source security]]></category>
<guid isPermaLink="false">https://github.blog/?p=89136</guid>
<description><![CDATA[<p>Use these insights to automate software security (where possible) to keep your projects safe.</p>
<p>The post <a href="https://github.blog/security/github-advisory-database-by-the-numbers-known-security-vulnerabilities-and-what-you-can-do-about-them/">GitHub Advisory Database by the numbers: Known security vulnerabilities and what you can do about them</a> appeared first on <a href="https://github.blog">The GitHub Blog</a>.</p>
]]></description>
<content:encoded><![CDATA[<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">
<html><body><p>The <a href="https://github.com/advisories">GitHub Advisory Database</a> (Advisory DB) is a vital resource for developers, providing a comprehensive list of known security vulnerabilities and malware affecting open source packages. This post analyzes trends in the Advisory DB, highlighting the growth in reviewed advisories, ecosystem coverage, and source contributions in 2024. We’ll delve into how GitHub provides actionable data to secure software projects.</p>
<h2 class="wp-block-heading" id="h-advisories">Advisories</h2>
<p>The GitHub Advisory Database contains a list of known security vulnerabilities and malware, grouped in three categories: </p>
<ul class="wp-block-list">
<li><strong>GitHub-reviewed advisories:</strong> Manually reviewed advisories in software packages that GitHub supports.</li>
<li><strong>Unreviewed advisories:</strong> These are automatically pulled from the National Vulnerability Database (NVD) and are either in the process of being reviewed, do not affect a supported package, or do not discuss a valid vulnerability.</li>
<li><strong>Malware advisories:</strong> These are specific to malware threats identified by the npm security team.</li>
</ul>
<h3 class="wp-block-heading" id="h-reviewed-advisories">Reviewed advisories</h3>
<p>GitHub-reviewed advisories are security vulnerabilities that have been mapped to packages in ecosystems we support. We carefully review each advisory for validity and ensure that they have a full description, and contain both ecosystem and package information.</p>
<p>Every year, GitHub increases the number of advisories we publish. We have been able to do this due to the increase in advisories coming from our sources (see Sources section below), expanding our ecosystem coverage (also described below), and review campaigns of advisories published before we started the database. </p>
<figure class="wp-block-image size-large"><img data-recalc-dims="1" loading="lazy" decoding="async" height="633" width="1024" src="https://github.blog/wp-content/uploads/2025/06/advisory1.png?resize=1024%2C633" alt="The bar graph shows the number of reviewed advisories added each year. The graph starts with 385 advisories added in 2019, shows an increase over time, and ends with 5256 advisories added in 2024." class="wp-image-89147" srcset="https://github.blog/wp-content/uploads/2025/06/advisory1.png?w=1200 1200w, https://github.blog/wp-content/uploads/2025/06/advisory1.png?w=300 300w, https://github.blog/wp-content/uploads/2025/06/advisory1.png?w=768 768w, https://github.blog/wp-content/uploads/2025/06/advisory1.png?w=1024 1024w, https://github.blog/wp-content/uploads/2025/06/advisory1.png?w=512 512w, https://github.blog/wp-content/uploads/2025/06/advisory1.png?w=288 288w" sizes="auto, (max-width: 1000px) 100vw, 1000px" /></figure>
<p>In the past five years, the database has gone from fewer than 400 reviewed advisories to over 20,000 reviewed advisories in October of 2024.</p>
<figure class="wp-block-image size-large"><img data-recalc-dims="1" loading="lazy" decoding="async" height="601" width="1024" src="https://github.blog/wp-content/uploads/2025/06/advisory2.png?resize=1024%2C601" alt="The line graph shows the total reviewed advisories steadily increasing from 0 in 2019 to 20607 at the end of 2024." class="wp-image-89148" srcset="https://github.blog/wp-content/uploads/2025/06/advisory2.png?w=1308 1308w, https://github.blog/wp-content/uploads/2025/06/advisory2.png?w=300 300w, https://github.blog/wp-content/uploads/2025/06/advisory2.png?w=768 768w, https://github.blog/wp-content/uploads/2025/06/advisory2.png?w=1024 1024w" sizes="auto, (max-width: 1000px) 100vw, 1000px" /></figure>
<h3 class="wp-block-heading" id="unreviewed-advisories">Unreviewed advisories</h3>
<p>Unreviewed advisories are security vulnerabilities that we publish automatically into the GitHub Advisory Database directly from the National Vulnerability Database feed. The name is a bit of a misnomer as many of these advisories have actually been reviewed by a GitHub analyst. The reason why they fall into this category is because they are not found in a package in one of the supported ecosystems or are not discussing a valid vulnerability, and all have been reviewed by analysts other than someone from the GitHub Security Lab. Even though most of these advisories will never turn into a reviewed advisory, we still publish them so that you do not have to look in multiple databases at once.</p>
<figure class="wp-block-image size-large"><img data-recalc-dims="1" loading="lazy" decoding="async" height="386" width="1024" src="https://github.blog/wp-content/uploads/2025/06/advisory3.png?resize=1024%2C386" alt="The line graph shows the total number of advisories overtime. The graph shows a sudden jump in April 2022, when GitHub started publishing all vulnerabilities from the National Vulnerability Database feed. It then shows a gradual increase over time." class="wp-image-89149" srcset="https://github.blog/wp-content/uploads/2025/06/advisory3.png?w=1600 1600w, https://github.blog/wp-content/uploads/2025/06/advisory3.png?w=300 300w, https://github.blog/wp-content/uploads/2025/06/advisory3.png?w=768 768w, https://github.blog/wp-content/uploads/2025/06/advisory3.png?w=1024 1024w, https://github.blog/wp-content/uploads/2025/06/advisory3.png?w=1536 1536w" sizes="auto, (max-width: 1000px) 100vw, 1000px" /></figure>
<h3 class="wp-block-heading" id="malware">Malware</h3>
<p>Malware advisories relate to vulnerabilities caused by malware, and are security advisories that GitHub publishes automatically into the GitHub Advisory Database directly from information provided by the npm security team. Malware advisories are currently exclusive to the npm ecosystem. GitHub doesn’t edit or accept community contributions on these advisories.</p>
<figure class="wp-block-image size-large"><img data-recalc-dims="1" loading="lazy" decoding="async" height="509" width="1024" src="https://github.blog/wp-content/uploads/2025/06/advisory4.png?resize=1024%2C509" alt="The line graph shows the total malware advisories over time, from May 2022 to December 2024. The line shows a general upward trend in malware advisories over the period, ending at 13405 advisories." class="wp-image-89150" srcset="https://github.blog/wp-content/uploads/2025/06/advisory4.png?w=1494 1494w, https://github.blog/wp-content/uploads/2025/06/advisory4.png?w=300 300w, https://github.blog/wp-content/uploads/2025/06/advisory4.png?w=768 768w, https://github.blog/wp-content/uploads/2025/06/advisory4.png?w=1024 1024w" sizes="auto, (max-width: 1000px) 100vw, 1000px" /></figure>
<h2 class="wp-block-heading" id="ecosystem-coverage">Ecosystem coverage</h2>
<p>GitHub-reviewed advisories include security vulnerabilities that have been mapped to packages in ecosystems we support. Generally, we name our supported ecosystems after the software programming language’s associated package registry. We review advisories if they are for a vulnerability in a package that comes from a supported registry.</p>
<figure class="wp-block-table"><table class="has-fixed-layout"><thead><tr><th><strong>Ecosystem</strong></th><th><strong>Total advisories</strong></th><th><strong>Vulnerable packages</strong></th><th><strong>First added</strong></th></tr></thead><tbody><tr><td>pip (registry: <a href="https://pypi.org/">https://pypi.org/</a>)</td><td>3378</td><td>1044</td><td>2019-04-19</td></tr><tr><td>Maven (registry: <a href="https://repo.maven.apache.org/maven2">https://repo.maven.apache.org/maven2</a>)</td><td>5171</td><td>955</td><td>2019-04-22</td></tr><tr><td>Composer (registry: <a href="https://packagist.org/">https://packagist.org/</a>)</td><td>4238</td><td>812</td><td>2019-04-26</td></tr><tr><td>npm (registry: <a href="https://www.npmjs.com/">https://www.npmjs.com/</a>)</td><td>3653</td><td>2652</td><td>2019-04-26</td></tr><tr><td>RubyGems (registry: <a href="https://rubygems.org/">https://rubygems.org/</a>)</td><td>840</td><td>371</td><td>2019-04-26</td></tr><tr><td>NuGet (registry: <a href="https://www.nuget.org/">https://www.nuget.org/</a>)</td><td>651</td><td>489</td><td>2019-04-26</td></tr><tr><td>Go (registry: <a href="https://pkg.go.dev/">https://pkg.go.dev/</a>)</td><td>2011</td><td>865</td><td>2021-04-01</td></tr><tr><td>Rust (registry: <a href="https://crates.io/">https://crates.io/</a>)</td><td>857</td><td>553</td><td>2021-05-25</td></tr><tr><td>Erlang (registry: <a href="https://hex.pm/">https://hex.pm/</a>)</td><td>31</td><td>26</td><td>2022-01-27</td></tr><tr><td>GitHub Actions (<a href="https://github.com/marketplace?type=actions/">https://github.com/marketplace?type=actions/</a>)</td><td>21</td><td>21</td><td>2022-07-29</td></tr><tr><td>Pub (registry: <a href="https://pub.dev/packages/registry">https://pub.dev/packages/registry</a>)</td><td>10</td><td>9</td><td>2022-08-04</td></tr><tr><td>Swift (registry: N/A)</td><td>33</td><td>21</td><td>2023-05-10</td></tr></tbody></table></figure>
<figure class="wp-block-image size-large"><img data-recalc-dims="1" loading="lazy" decoding="async" height="633" width="1024" src="https://github.blog/wp-content/uploads/2025/06/advisory5.png?resize=1024%2C633" alt="The pie chart shows the proportion of advisories across different software ecosystems. Maven, Composer, npm, Pip, and Go are the largest ecosystems." class="wp-image-89151" srcset="https://github.blog/wp-content/uploads/2025/06/advisory5.png?w=1200 1200w, https://github.blog/wp-content/uploads/2025/06/advisory5.png?w=300 300w, https://github.blog/wp-content/uploads/2025/06/advisory5.png?w=768 768w, https://github.blog/wp-content/uploads/2025/06/advisory5.png?w=1024 1024w, https://github.blog/wp-content/uploads/2025/06/advisory5.png?w=512 512w, https://github.blog/wp-content/uploads/2025/06/advisory5.png?w=288 288w" sizes="auto, (max-width: 1000px) 100vw, 1000px" /></figure>
<p>Vulnerabilities in Maven and Composer packages are nearly half of the advisories in the database. npm, pip, and Go make up much of the rest, while the other ecosystems have a much smaller footprint.</p>
<p>This has not always been the case. When the database was initially launched, NPM advisories dominated the database, but as we have expanded our coverage and added support for new ecosystems, the distribution mix has changed.</p>
<figure class="wp-block-image size-large"><img data-recalc-dims="1" loading="lazy" decoding="async" height="539" width="1024" src="https://github.blog/wp-content/uploads/2025/06/advisory7.png?resize=1024%2C539" alt="The stacked area line graph shows the percentage distribution of various ecosystems from 2019 to 2024. The graph starts with half the advisories being for NPM but over time, other ecosystems like Maven and Composer become more prominent." class="wp-image-89152" srcset="https://github.blog/wp-content/uploads/2025/06/advisory7.png?w=1600 1600w, https://github.blog/wp-content/uploads/2025/06/advisory7.png?w=300 300w, https://github.blog/wp-content/uploads/2025/06/advisory7.png?w=768 768w, https://github.blog/wp-content/uploads/2025/06/advisory7.png?w=1024 1024w, https://github.blog/wp-content/uploads/2025/06/advisory7.png?w=1536 1536w, https://github.blog/wp-content/uploads/2025/06/advisory7.png?w=400 400w" sizes="auto, (max-width: 1000px) 100vw, 1000px" /></figure>
<h2 class="wp-block-heading" id="sources-where-do-the-advisories-come-from">Sources: Where do the advisories come from?</h2>
<p>We add advisories to the GitHub Advisory Database from the following sources:</p>
<figure class="wp-block-table"><table class="has-fixed-layout"><thead><tr><th><strong>Source</strong></th><th><strong>Advisories</strong></th><th><strong>Reviewed advisories</strong></th><th><strong>Sole source</strong></th><th><strong>Coverage</strong></th></tr></thead><tbody><tr><td><a href="https://nvd.nist.gov/">NVD</a></td><td>267429</td><td>18295</td><td>7450</td><td>6.84%</td></tr><tr><td><a href="https://docs.github.com/en/code-security/security-advisories/working-with-repository-security-advisories/about-repository-security-advisories">GitHub Repository Advisories</a></td><td>12247</td><td>5311</td><td>564</td><td>43.37%</td></tr><tr><td><a href="https://github.com/github/advisory-database/pulls">Community Contributions</a></td><td>4512</td><td>4160</td><td>10</td><td>92.20%</td></tr><tr><td><a href="https://github.com/pypa/advisory-database">PyPA Advisories</a></td><td>3040</td><td>2739</td><td>14</td><td>90.10%</td></tr><tr><td><a href="https://pkg.go.dev/vuln/">Go Vulncheck</a></td><td>1581</td><td>1528</td><td>7</td><td>96.65%</td></tr><tr><td><a href="https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm">NPM Advisories</a></td><td>1411</td><td>1408</td><td>629</td><td>99.79%</td></tr><tr><td><a href="https://github.com/FriendsOfPHP/security-advisories">FriendsOfPHP</a></td><td>1406</td><td>1396</td><td>400</td><td>99.29%</td></tr><tr><td><a href="https://rustsec.org/">RustSec</a></td><td>943</td><td>849</td><td>171</td><td>90.03%</td></tr><tr><td><a href="https://rubysec.com/">RubySec</a></td><td>873</td><td>861</td><td>4</td><td>98.63%</td></tr></tbody></table></figure>
<ul class="wp-block-list">
<li><strong>NVD:</strong> This is a huge source of vulnerabilities covering all types of software. We publish all NVD advisories but only review those relevant to our supported ecosystems, which reduces noise for our users.</li>
<li><strong>GitHub Repository Advisories:</strong> The second largest source is made up of advisories published through GitHub’s repository security advisory feature. Similar to NVD, these aren’t restricted to our supported ecosystems. However, we provide better coverage of the repository advisories because they focus exclusively on open source software.</li>
<li><strong>Community Contributions:</strong> These are reports from the community that are almost exclusively requesting updates to existing advisories.</li>
<li><strong>Other Specialized Sources:</strong> Sources like PyPA Advisories (for Python) and Go Vulncheck (for Go) that focus on specific ecosystems. Because they only cover packages within our supported ecosystems, most of their advisories are relevant to us and get reviewed.</li>
</ul>
<figure class="wp-block-image size-large"><img data-recalc-dims="1" loading="lazy" decoding="async" height="633" width="1024" src="https://github.blog/wp-content/uploads/2025/06/advisory8.png?resize=1024%2C633" alt="The pie graph shows the proportion of advisories by the number of sources they have. This shows that 46% of the advisories have only one source and 85% have three or fewer." class="wp-image-89153" srcset="https://github.blog/wp-content/uploads/2025/06/advisory8.png?w=1200 1200w, https://github.blog/wp-content/uploads/2025/06/advisory8.png?w=300 300w, https://github.blog/wp-content/uploads/2025/06/advisory8.png?w=768 768w, https://github.blog/wp-content/uploads/2025/06/advisory8.png?w=1024 1024w, https://github.blog/wp-content/uploads/2025/06/advisory8.png?w=512 512w, https://github.blog/wp-content/uploads/2025/06/advisory8.png?w=288 288w" sizes="auto, (max-width: 1000px) 100vw, 1000px" /></figure>
<p>If you add up the number of reviewed advisories from each source, you will find that total is more than the total reviewed advisories. This is because each source can publish an advisory for the same vulnerability. In fact, over half of our advisories have more than one source.</p>
<figure class="wp-block-image size-large"><img data-recalc-dims="1" loading="lazy" decoding="async" height="633" width="1024" src="https://github.blog/wp-content/uploads/2025/06/advisory9.png?resize=1024%2C633" alt="The pie graph shows the proportion of advisories that have a single source by the source they came from. The graph shows that 80% of all single sourced advisories come from the National Vulnerability Database." class="wp-image-89154" srcset="https://github.blog/wp-content/uploads/2025/06/advisory9.png?w=1200 1200w, https://github.blog/wp-content/uploads/2025/06/advisory9.png?w=300 300w, https://github.blog/wp-content/uploads/2025/06/advisory9.png?w=768 768w, https://github.blog/wp-content/uploads/2025/06/advisory9.png?w=1024 1024w, https://github.blog/wp-content/uploads/2025/06/advisory9.png?w=512 512w, https://github.blog/wp-content/uploads/2025/06/advisory9.png?w=288 288w" sizes="auto, (max-width: 1000px) 100vw, 1000px" /></figure>
<p>Of the advisories with a single source, nearly all of them come from NVD/CVE. This justifies NVD/CVE as a source, even though it is by far the noisiest.</p>
<figure class="wp-block-image size-large"><img data-recalc-dims="1" loading="lazy" decoding="async" height="633" width="1024" src="https://github.blog/wp-content/uploads/2025/06/advisory10.png?resize=1024%2C633" alt="The line graph shows the number of advisories imported over time. The graph shows an increase in imports over time." class="wp-image-89155" srcset="https://github.blog/wp-content/uploads/2025/06/advisory10.png?w=1200 1200w, https://github.blog/wp-content/uploads/2025/06/advisory10.png?w=300 300w, https://github.blog/wp-content/uploads/2025/06/advisory10.png?w=768 768w, https://github.blog/wp-content/uploads/2025/06/advisory10.png?w=1024 1024w, https://github.blog/wp-content/uploads/2025/06/advisory10.png?w=512 512w, https://github.blog/wp-content/uploads/2025/06/advisory10.png?w=288 288w" sizes="auto, (max-width: 1000px) 100vw, 1000px" /></figure>
<p>2024 saw a significant increase (39%) in the number of advisories imported from our sources. This is for the most part caused by an increase in the number of CVE records published.</p>
<h2 class="wp-block-heading" id="cve-numbering-authority">CVE Numbering Authority</h2>
<p>In addition to publishing advisories in the GitHub Advisory Database, we are also a <a href="https://docs.github.com/en/code-security/security-advisories/working-with-repository-security-advisories/about-repository-security-advisories#cve-identification-numbers">CVE Numbering Authority (CNA)</a> for any repository on GitHub. This means that we issue CVE IDs for vulnerabilities reported to us by maintainers, and we publish the vulnerabilities to the CVE database once the corresponding repository advisory is published.</p>
<p>GitHub published over 2,000 CVE records in 2024, making us the fifth-largest CNA in the CVE Program.</p>
<figure class="wp-block-image size-large"><img data-recalc-dims="1" loading="lazy" decoding="async" height="633" width="1024" src="https://github.blog/wp-content/uploads/2025/06/advisory11.png?resize=1024%2C633" alt="The bar graph shows the number of CVE records published by the Advisory Database CNA over time. Every year shows an increase in the number published." class="wp-image-89156" srcset="https://github.blog/wp-content/uploads/2025/06/advisory11.png?w=1200 1200w, https://github.blog/wp-content/uploads/2025/06/advisory11.png?w=300 300w, https://github.blog/wp-content/uploads/2025/06/advisory11.png?w=768 768w, https://github.blog/wp-content/uploads/2025/06/advisory11.png?w=1024 1024w, https://github.blog/wp-content/uploads/2025/06/advisory11.png?w=512 512w, https://github.blog/wp-content/uploads/2025/06/advisory11.png?w=288 288w" sizes="auto, (max-width: 1000px) 100vw, 1000px" /></figure>
<p>The GitHub CNA is open to <strong>all repositories</strong> on GitHub, not just ones in a supported ecosystem.</p>
<figure class="wp-block-image size-large"><img data-recalc-dims="1" loading="lazy" decoding="async" height="585" width="1024" src="https://github.blog/wp-content/uploads/2025/06/advisory12.png?resize=1024%2C585" alt="The pie graph shows the proportion of CVEs assigned by the Advisory Database that in a supported ecosystem. 58% are in a supported ecosystem and 42% are not." class="wp-image-89157" srcset="https://github.blog/wp-content/uploads/2025/06/advisory12.png?w=1298 1298w, https://github.blog/wp-content/uploads/2025/06/advisory12.png?w=300 300w, https://github.blog/wp-content/uploads/2025/06/advisory12.png?w=768 768w, https://github.blog/wp-content/uploads/2025/06/advisory12.png?w=1024 1024w" sizes="auto, (max-width: 1000px) 100vw, 1000px" /></figure>
<h2 class="wp-block-heading" id="advisory-prioritization">Advisory prioritization</h2>
<p>Given the constant deluge of reported vulnerabilities, you’ll want tools that can help you prioritize your remediation efforts. To that end, GitHub provides additional data in the advisory to allow readers to prioritize their vulnerabilities. In particular, there are:</p>
<ul class="wp-block-list">
<li><strong>Severity Rating/CVSS:</strong> A low to critical rating for how severe the vulnerability is likely to be, along with a corresponding CVSS score and vector.</li>
<li><strong>CWE:</strong> CWE identifiers provide a programmatic method for determining the type of vulnerability.</li>
<li><strong>EPSS:</strong> The Exploit Prediction Scoring System, or EPSS, is a system devised by the global Forum of Incident Response and Security Teams (FIRST) for quantifying the likelihood a vulnerability will be attacked in the next 30 days.</li>
</ul>
<p>GitHub adds a severity rating to every advisory. The severity level is one of four possible levels defined in the <a href="https://www.first.org/cvss/specification-document">Common Vulnerability Scoring System (CVSS), Section 5</a>.</p>
<ul class="wp-block-list">
<li>Low</li>
<li>Medium/Moderate</li>
<li>High</li>
<li>Critical</li>
</ul>
<p>Using these ratings, half of all vulnerabilities (15% are Critical and 35% are High) warrant immediate or near-term attention. By focusing remediation efforts on these, you can significantly reduce risk exposure while managing workload more efficiently.</p>
<figure class="wp-block-image size-large"><img data-recalc-dims="1" loading="lazy" decoding="async" height="633" width="1024" src="https://github.blog/wp-content/uploads/2025/06/advisory13.png?resize=1024%2C633" alt="The stacked area line graph shows the severity rating ration by year of advisory publication. The graph shows that critical vulnerabilities were more common (20 - 25 percent) early on and moderates becoming more common over the years." class="wp-image-89158" srcset="https://github.blog/wp-content/uploads/2025/06/advisory13.png?w=1200 1200w, https://github.blog/wp-content/uploads/2025/06/advisory13.png?w=300 300w, https://github.blog/wp-content/uploads/2025/06/advisory13.png?w=768 768w, https://github.blog/wp-content/uploads/2025/06/advisory13.png?w=1024 1024w, https://github.blog/wp-content/uploads/2025/06/advisory13.png?w=512 512w, https://github.blog/wp-content/uploads/2025/06/advisory13.png?w=288 288w" sizes="auto, (max-width: 1000px) 100vw, 1000px" /></figure>
<p>The CVSS specification says the base score we provide, “reflects the severity of a vulnerability according to its intrinsic characteristics which are constant over time and assumes the reasonable worst-case impact across different deployed environments.” However, the worst-case scenario for your deployment may not be the same as CVSS’s. After all, a crash in a word processor is not as severe as a crash in a server. In order to give more context to your prioritization, GitHub allows you to filter alerts based on the type of vulnerability or weakness using CWE identifiers. So you have the capability to never see another regular expression denial of service (<a href="https://cwe.mitre.org/data/definitions/1333.html">CWE-1333</a>) vulnerability again or always see SQL injection (<a href="https://cwe.mitre.org/data/definitions/89.html">CWE-89</a>) vulnerabilities.</p>
<figure class="wp-block-table"><table class="has-fixed-layout"><thead><tr><th><strong>Rank</strong></th><th><strong>CWE ID</strong></th><th><strong>CWE name</strong></th><th><strong>Number of advisories in 2024</strong></th><th><strong>Change in rank from 2023</strong></th></tr></thead><tbody><tr><td>1</td><td><a href="https://cwe.mitre.org/data/definitions/79.html">CWE-79</a></td><td>Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)</td><td>936</td><td>+0</td></tr><tr><td>2</td><td><a href="https://cwe.mitre.org/data/definitions/200.html">CWE-200</a></td><td>Exposure of Sensitive Information to an Unauthorized Actor</td><td>320</td><td>+0</td></tr><tr><td>3</td><td><a href="https://cwe.mitre.org/data/definitions/22.html">CWE-22</a></td><td>Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)</td><td>259</td><td>+2</td></tr><tr><td>4</td><td><a href="https://cwe.mitre.org/data/definitions/20.html">CWE-20</a></td><td>Improper Input Validation</td><td>202</td><td>+0</td></tr><tr><td>5</td><td><a href="https://cwe.mitre.org/data/definitions/94.html">CWE-94</a></td><td>Improper Control of Generation of Code (‘Code Injection’)</td><td>188</td><td>+2</td></tr><tr><td>6</td><td><a href="https://cwe.mitre.org/data/definitions/89.html">CWE-89</a></td><td>Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)</td><td>181</td><td>+3</td></tr><tr><td>7</td><td><a href="https://cwe.mitre.org/data/definitions/352.html">CWE-352</a></td><td>Cross-Site Request Forgery (CSRF)</td><td>161</td><td>-4</td></tr><tr><td>8</td><td><a href="https://cwe.mitre.org/data/definitions/284.html">CWE-284</a></td><td>Improper Access Control</td><td>153</td><td>+4</td></tr><tr><td>9</td><td><a href="https://cwe.mitre.org/data/definitions/400.html">CWE-400</a></td><td>Uncontrolled Resource Consumption</td><td>149</td><td>-3</td></tr><tr><td>10</td><td><a href="https://cwe.mitre.org/data/definitions/287.html">CWE-287</a></td><td>Improper Authentication</td><td>124</td><td>+11</td></tr></tbody></table></figure>
<p>Still drowning in vulnerabilities? Try using EPSS to focus on vulnerabilities likely to be attacked in the next 30 days. EPSS uses data from a <a href="https://www.first.org/epss/partners">variety of sources</a> to create a probability of whether exploitation attempts will be seen in the next 30 days for a given vulnerability. As you can see from the chart below, if you focus on vulnerabilities with EPSS scores of 10% or higher (approx. 7% of all vulnerabilities in the Advisory DB), you can cover nearly all of the vulnerabilities that are likely to see exploit activity.</p>
<figure class="wp-block-image size-large"><img data-recalc-dims="1" loading="lazy" decoding="async" height="633" width="1024" src="https://github.blog/wp-content/uploads/2025/06/advisory14.png?resize=1024%2C633" alt="The bar graph shows the number of advisories by EPSS probability. Most of the advisories are in the Low or Very Low probability." class="wp-image-89159" srcset="https://github.blog/wp-content/uploads/2025/06/advisory14.png?w=1200 1200w, https://github.blog/wp-content/uploads/2025/06/advisory14.png?w=300 300w, https://github.blog/wp-content/uploads/2025/06/advisory14.png?w=768 768w, https://github.blog/wp-content/uploads/2025/06/advisory14.png?w=1024 1024w, https://github.blog/wp-content/uploads/2025/06/advisory14.png?w=512 512w, https://github.blog/wp-content/uploads/2025/06/advisory14.png?w=288 288w" sizes="auto, (max-width: 1000px) 100vw, 1000px" /></figure>
<figure class="wp-block-table"><table class="has-fixed-layout"><thead><tr><th><strong>EPSS probability</strong></th><th><strong>Vulnerabilities in range</strong></th><th><strong>Percentage of overall vulnerabilities</strong></th><th><strong>Expected vulnerabilities in range attacked within the next 30 days</strong></th><th><strong>Percentage of total attacked vulnerabilities</strong></th></tr></thead><tbody><tr><td>High ( >= 10%)</td><td>1440</td><td>7.17%</td><td>741</td><td>85.96%</td></tr><tr><td>Moderate ( >= 1%, < 10%)</td><td>2687</td><td>13.37%</td><td>84</td><td>9.74%</td></tr><tr><td>Low ( >= 0.1%, < 1%)</td><td>10264</td><td>51.09%</td><td>35</td><td>4.06%</td></tr><tr><td>Very Low ( < 0.1%)</td><td>5701</td><td>28.37%</td><td>2</td><td>0.23%</td></tr></tbody></table></figure>
<p>Important caveats to remember when using EPSS:</p>
<ul class="wp-block-list">
<li>Low probability events occur.</li>
<li>EPSS does not tell you whether a vulnerability is exploited; it only claims how likely it is.</li>
<li>EPSS scores are updated daily and will change as new information comes in, so a low-probability vulnerability today may become high probability tomorrow.</li>
</ul>
<p>For more details on how to use CVSS and EPSS for prioritization, see our <a href="https://github.blog/security/application-security/cutting-through-the-noise-how-to-prioritize-dependabot-alerts/">blog</a> on prioritizing Dependabot alerts.</p>
<h2 class="wp-block-heading" id="actionable-data">Actionable data</h2>
<p>The GitHub Advisory DB isn’t just a repository of vulnerabilities. It powers tools that help developers secure their projects. Services like Dependabot use the Advisory DB to:</p>
<ul class="wp-block-list">
<li><strong>Identify vulnerabilities:</strong> It checks if your projects use any software packages with known vulnerabilities.</li>
<li><strong>Suggest fixes:</strong> It recommends updated versions of packages that fix those vulnerabilities when available.</li>
<li><strong>Reduce noise:</strong> You’ll only get notified about vulnerabilities that affect the version of the package you are using.</li>
</ul>
<figure class="wp-block-image size-large"><img data-recalc-dims="1" loading="lazy" decoding="async" height="632" width="1024" src="https://github.blog/wp-content/uploads/2025/06/advisory15.png?resize=1024%2C632" alt="The bar graph shows the number of advisories published with a patch each year next to the number of advisories without a patch. For every year, nearly all of the advisories have a patch." class="wp-image-89160" srcset="https://github.blog/wp-content/uploads/2025/06/advisory15.png?w=1600 1600w, https://github.blog/wp-content/uploads/2025/06/advisory15.png?w=300 300w, https://github.blog/wp-content/uploads/2025/06/advisory15.png?w=768 768w, https://github.blog/wp-content/uploads/2025/06/advisory15.png?w=1024 1024w, https://github.blog/wp-content/uploads/2025/06/advisory15.png?w=1536 1536w, https://github.blog/wp-content/uploads/2025/06/advisory15.png?w=1416 1416w, https://github.blog/wp-content/uploads/2025/06/advisory15.png?w=288 288w" sizes="auto, (max-width: 1000px) 100vw, 1000px" /></figure>
<h2 class="wp-block-heading" id="take-this-with-you">Take this with you</h2>
<p>The GitHub Advisory Database is a powerful resource for tracking open source software vulnerabilities, with over 22,000 reviewed advisories to date. By focusing on popular package registries, GitHub allows you to definitively connect vulnerabilities to the packages you are using. Additional data such as CVSS and EPSS scores help you properly prioritize your mitigation efforts.</p>
<p>GitHub’s role as a CVE Numbering Authority extends beyond the Advisory Database, ensuring that thousands of vulnerabilities each year reach the broader CVE community. Want to ensure your vulnerability fix reaches your users? <a href="https://docs.github.com/en/code-security/security-advisories/working-with-repository-security-advisories/editing-a-repository-security-advisory">Create a GitHub security advisory</a> in your repository to take advantage of both the GitHub Advisory Database and GitHub’s CNA services.</p>
<div class="wp-block-group post-content-cta has-global-padding is-layout-constrained wp-block-group-is-layout-constrained">
<p><strong>Want to dive deeper?</strong> Explore <a href="https://github.blog/security/">security blog posts ></a></p>
</div>
</body></html>
<p>The post <a href="https://github.blog/security/github-advisory-database-by-the-numbers-known-security-vulnerabilities-and-what-you-can-do-about-them/">GitHub Advisory Database by the numbers: Known security vulnerabilities and what you can do about them</a> appeared first on <a href="https://github.blog">The GitHub Blog</a>.</p>
]]></content:encoded>
<post-id xmlns="com-wordpress:feed-additions:1">89136</post-id> </item>
<item>
<title>From pair to peer programmer: Our vision for agentic workflows in GitHub Copilot</title>
<link>https://github.blog/news-insights/product-news/from-pair-to-peer-programmer-our-vision-for-agentic-workflows-in-github-copilot/</link>
<dc:creator><![CDATA[Tim Rogers]]></dc:creator>
<pubDate>Wed, 25 Jun 2025 16:00:00 +0000</pubDate>
<category><![CDATA[News & insights]]></category>
<category><![CDATA[Product]]></category>
<category><![CDATA[agentic AI]]></category>
<category><![CDATA[generative AI]]></category>
<category><![CDATA[GitHub Copilot]]></category>
<guid isPermaLink="false">https://github.blog/?p=88977</guid>
<description><![CDATA[<p>AI agents in GitHub Copilot don’t just assist developers but actively solve problems through multi-step reasoning and execution. Here’s what that means.</p>
<p>The post <a href="https://github.blog/news-insights/product-news/from-pair-to-peer-programmer-our-vision-for-agentic-workflows-in-github-copilot/">From pair to peer programmer: Our vision for agentic workflows in GitHub Copilot</a> appeared first on <a href="https://github.blog">The GitHub Blog</a>.</p>
]]></description>
<content:encoded><![CDATA[<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">
<html><body><p>Software development has always been a deeply human, collaborative process. When we introduced <a href="https://github.com/features/copilot">GitHub Copilot</a> in 2021 as an “<a href="https://github.blog/news-insights/product-news/introducing-github-copilot-ai-pair-programmer/">AI pair programmer</a>,” it was designed to help developers stay in the flow, reduce boilerplate work, and accelerate coding.</p>
<p>But what if Copilot could be more than just an assistant? What if it could actively collaborate with you—working alongside you on synchronous tasks, tackling issues independently, and even reviewing your code?</p>
<p>That’s the future we’re building.</p>
<h2 class="wp-block-heading" id="h-our-vision-for-what-s-next-nbsp">Our vision for what’s next </h2>
<p>Today, AI agents in GitHub Copilot don’t just assist developers but actively solve problems through multi-step reasoning and execution. These agents are capable of:</p>
<ul class="wp-block-list">
<li><strong>Independent problem solving:</strong> Copilot will break down complex tasks and take the necessary steps to solve them, providing updates along the way.</li>
<li><strong>Adaptive collaboration:</strong> Whether working in sync with you or independently in the background, Copilot will iterate on its own outputs to drive progress.</li>
<li><strong>Proactive code quality:</strong> Copilot will proactively assist with tasks like issue resolution, testing, and code reviews, ensuring higher-quality, maintainable code.</li>
</ul>
<p>Rather than fitting neatly into synchronous or asynchronous categories, the future of Copilot lies in its ability to flexibly transition between modes—executing tasks independently while keeping you informed and in control. This evolution will allow you to focus on higher-level decision-making while Copilot takes on more of the execution.</p>
<p>Let’s explore what’s already here—and what’s coming next.</p>
<aside data-color-mode="light" data-dark-theme="dark" data-light-theme="light_dimmed" class="wp-block-group post-aside--large p-4 p-md-6 is-style-light-dimmed has-global-padding is-layout-constrained wp-block-group-is-layout-constrained is-style-light-dimmed--3" style="border-top-width:4px">
<h3 class="wp-block-heading h5-mktg gh-aside-title is-typography-preset-h5" id="h-why-independent-agents-and-why-now" style="margin-top:0">Why independent agents—and why now?</h3>
<p>Modern development isn’t linear. We context switch between features, bug fixes, dependency bumps, and reviews every day. A truly useful AI must:</p>
<ol class="wp-block-list">
<li><strong>Act independently</strong>: plan multi‑step tasks and execute them without hand holding.</li>
<li><strong>Stay transparent</strong>: share its plan and progress, so you can intervene instantly.</li>
<li><strong>Earn trust</strong>: test its own work and explain every change.</li>
</ol>
<p>Copilot’s new <strong>agentic architecture</strong> is designed around these guardrails.</p>
</aside>
<h2 class="wp-block-heading" id="h-copilot-in-action-taking-steps-toward-our-vision-nbsp">Copilot in action: Taking steps toward our vision </h2>
<h3 class="wp-block-heading" id="h-agent-mode-a-real-time-ai-teammate-inside-your-ide">Agent mode: A real-time AI teammate inside your IDE</h3>
<p>If you’ve used <a href="https://github.blog/news-insights/product-news/github-copilot-the-agent-awakens/">agent mode with GitHub Copilot</a> (and you should, because it’s fantastic), you’ve already experienced an independent AI agent at work. </p>
<p>Agent mode lives where you code and feels like handing your computer to a teammate for a minute: it types on your screen while you look on, and can grab the mouse. When you prompt it, the agent takes control, works through the problem, and reports its work back to you with regular check-in points. It can:</p>
<ul class="wp-block-list">
<li><strong>Read your entire workspace</strong> to understand context.</li>
<li><strong>Plan multi‑step fixes or refactors</strong> (and show you the plan first).</li>
<li><strong>Apply changes, run tests, and iterate</strong> in a tight feedback loop.</li>
<li><strong>Ask for guidance</strong> whenever intent is ambiguous.</li>
<li><strong>Run and refine its own work</strong> through an “agentic loop”—planning, applying changes, testing, and iterating.</li>
</ul>
<p>Rather than just responding to requests, Copilot in agent mode actively works toward your goal. You define the outcome, and it determines the best approach—seeking feedback from you as needed, testing its own solutions, and refining its work in real time. </p>
<p>Think of it as pair programming in fast forward: you’re watching the task unfold in real time, free to jump in or redirect at any step. ✨</p>
<figure class="wp-block-embed is-type-video is-provider-youtube wp-block-embed-youtube wp-embed-aspect-16-9 wp-has-aspect-ratio"><div class="wp-block-embed__wrapper">
<iframe loading="lazy" title="GitHub Copilot now supports agent mode" width="500" height="281" src="https://www.youtube.com/embed/Bla9JsYGIRw?feature=oembed" frameborder="0" allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share" referrerpolicy="strict-origin-when-cross-origin" allowfullscreen></iframe>
</div></figure>
<h3 class="wp-block-heading" id="h-coding-agent-an-ai-teammate-that-works-while-you-don-t-nbsp">Coding agent: An AI teammate that works while you don’t </h3>
<p>Not all coding happens in real time. Sometimes, you need to hand off tasks to a teammate and check back later.</p>
<p>That’s where <strong>our coding agent</strong> comes in—and it’s our first step in transforming Copilot into an independent agent. Coding agent spins up its <strong>own secure dev environment</strong> in the cloud. You can assign multiple issues to Copilot, then dive into other work (or grab a cup of coffee!) while it handles the heavy lifting. It can:</p>
<ul class="wp-block-list">
<li><strong>Clone your repo and bootstrap tooling</strong> in isolation.</li>
<li><strong>Break the issue into steps</strong>, implement changes, and write or update tests.</li>
<li><strong>Validate its work </strong>by running your tests and linter.</li>
<li><strong>Open a draft PR</strong> and iterate based on your PR review comments.</li>
<li><strong>Stream progress updates</strong> so you can peek in—or jump in—any time.</li>
</ul>
<p>Working with coding agent is like asking a teammate in another room—with their own laptop and setup—to tackle an issue. You’re free to work on something else, but you can pop in for status or feedback whenever you like.</p>
<figure class="wp-block-video"><video controls poster="https://github.blog/wp-content/uploads/2025/06/Screenshot-2025-06-20-at-12.35.06 PM.png" src="https://github.blog/wp-content/uploads/2025/06/Copilot-Coding-Agent-Overview-v3-Burned.mp4"></video></figure>
<h2 class="wp-block-heading" id="h-less-todo-more-done-the-next-stage-of-copilot-s-agentic-future">Less TODO, more done: The next stage of Copilot’s agentic future</h2>
<p>The next stage of Copilot is being built on three converging pillars:</p>
<ol class="wp-block-list">
<li><strong>Smarter, leaner models.</strong> Ongoing breakthroughs in large language models keep driving accuracy up while pushing latency and cost down. Expanded context windows now span entire monoliths, giving Copilot the long-range “memory” it needs to reason through complex codebases and return answers grounded in your real code.<br></li>
<li><strong>Deeper contextual awareness.</strong> Copilot increasingly understands the full story behind your work—issues, pull-request history, dependency graphs, even private runbooks and API specs (via MCP). By tapping this richer context, it can suggest changes that align with project intent, not just syntax.<br></li>
<li><strong>Open, composable foundation.</strong> We’re designing Copilot to slot into <em>your</em> stack—not the other way around. You choose the editor, models, and tools; Copilot plugs in, learns your patterns, and amplifies them. You’re in the driver’s seat, steering the AI to build, test, and ship code faster than ever.</li>
</ol>
<p>Taken together, these pillars move Copilot beyond a single assistant toward a flexible AI teammate—one that can help any team, from three developers in a garage to thousands in a global enterprise, plan, code, test, and ship with less friction and more speed.</p>
<p>So, get ready for what’s next. The next wave is already on its way. </p>
<div class="wp-block-group post-content-cta has-global-padding is-layout-constrained wp-block-group-is-layout-constrained">
<p><strong>Learn more</strong> about <a href="https://github.com/features/copilot">GitHub Copilot ></a></p>
</div>
</body></html>
<p>The post <a href="https://github.blog/news-insights/product-news/from-pair-to-peer-programmer-our-vision-for-agentic-workflows-in-github-copilot/">From pair to peer programmer: Our vision for agentic workflows in GitHub Copilot</a> appeared first on <a href="https://github.blog">The GitHub Blog</a>.</p>
]]></content:encoded>
<post-id xmlns="com-wordpress:feed-additions:1">88977</post-id> </item>
<item>
<title>Why developer expertise matters more than ever in the age of AI</title>
<link>https://github.blog/developer-skills/career-growth/why-developer-expertise-matters-more-than-ever-in-the-age-of-ai/</link>
<dc:creator><![CDATA[Laura Lindeman]]></dc:creator>
<pubDate>Tue, 24 Jun 2025 17:04:47 +0000</pubDate>
<category><![CDATA[Career growth]]></category>
<category><![CDATA[Developer skills]]></category>
<category><![CDATA[AI]]></category>
<category><![CDATA[productivity]]></category>
<guid isPermaLink="false">https://github.blog/?p=89040</guid>
<description><![CDATA[<p>AI can help you code faster, but knowing why the code works—and sharpening your human-in-the-loop skills—is what makes you a great developer.</p>
<p>The post <a href="https://github.blog/developer-skills/career-growth/why-developer-expertise-matters-more-than-ever-in-the-age-of-ai/">Why developer expertise matters more than ever in the age of AI</a> appeared first on <a href="https://github.blog">The GitHub Blog</a>.</p>
]]></description>
<content:encoded><![CDATA[<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">
<html><body><figure class="wp-block-table"><table class="has-fixed-layout"><tbody><tr><td><em>Editor’s note: This piece was originally published in our LinkedIn newsletter, Branching Out_. </em><a href="https://www.linkedin.com/newsletters/branching-out-6958196028076429312/"><em>Sign up now for more career-focused content > </em></a></td></tr></tbody></table></figure>
<p>AI tools seem to be everywhere. With the tap of a key, they provide ready answers to queries, autocomplete faster than our brains can, and even suggest entire blocks of code. Research has shown that <a href="https://github.com/features/copilot">GitHub Copilot</a> enables developers to <a href="https://github.blog/news-insights/research/research-quantifying-github-copilots-impact-on-developer-productivity-and-happiness/">code up to 55% faster</a>. Junior developers, specifically, <a href="https://mitsloan.mit.edu/ideas-made-to-matter/how-generative-ai-affects-highly-skilled-workers?utm_source=chatgpt.com">may see a 27% to 39% increase in output with AI assistance according to MIT</a>, showing even greater productivity gains from their adoption of AI than more experienced developers. </p>
<p><strong>But here’s the question: you may be coding faster with AI, but when was the last time you asked yourself </strong><strong><em>why</em></strong><strong> before adopting a suggestion from an AI coding assistant? </strong></p>
<p>Being a developer is not just about producing code. It’s about understanding <em>why</em> the code works, how it fits into the bigger picture, and what happens when things break down. The best developers know how to think critically about new problems and take a systems view of solving them. That kind of expertise is what keeps software resilient, scalable, and secure, especially as AI accelerates how quickly we ship. Without it, we risk building faster but breaking more.</p>
<p><a href="https://timesofindia.indiatimes.com/technology/tech-news/github-ceo-thomas-dohmke-to-startups-your-companies-would-struggle-without-developers-as-ai-coding-assistants-can-only-/articleshow/121844990.cms?utm_source=chatgpt.com">Our CEO, Thomas Dohmke, put it bluntly at VivaTech</a>: “Startups can launch with AI‑generated code, but they can’t scale without experienced developers.” Developer expertise is the multiplier on AI, not the bottleneck.</p>
<p>We’re not saying you have to reject AI to be a great developer. At GitHub, we believe AI is a superpower, one that helps you move faster and build better when used thoughtfully. Your role as a developer in the age of AI is to be the human-in-the-loop: the person who knows why code works, why it sometimes doesn’t, what the key requirements in your environment are, and how to debug, guide AI tools, and go beyond vibe coding. </p>
<p>After all, AI can help you write code a lot faster, but only developer expertise turns that speed into resilient, scalable, and secure software.</p>
<figure class="wp-block-table"><table class="has-fixed-layout"><tbody><tr><td><strong>TL;DR:</strong> AI pair‑programming makes you faster, but it can’t replace the judgment that keeps software safe and maintainable. This article offers three concrete ways to level‑up your expertises.</td></tr></tbody></table></figure>
<h2 class="wp-block-heading" id="h-ai-s-productivity-dividend-developer-experience-greater-impact">AI’s productivity dividend + developer experience = greater impact</h2>
<figure class="wp-block-table"><table class="has-fixed-layout"><thead><tr><th><strong>Benefit</strong></th><th><strong>How human judgment multiplies the value</strong></th></tr></thead><tbody><tr><td>⏱️ Faster commits (up to 55 % quicker task completion)</td><td>Devs run thoughtful code reviews, write tests, and surface edge cases so speed never comes at the cost of quality.</td></tr><tr><td>🧠 Lower cognitive load</td><td>Freed-up mental bandwidth lets developers design better architectures, mentor teammates, and solve higher-order problems.</td></tr><tr><td>🌱 Easier onboarding for juniors</td><td>Senior engineers provide context, establish standards, and turn AI suggestions into teachable moments building long-term expertise.</td></tr><tr><td>🤖 Automated boilerplate</td><td>Devs tailor scaffolding to real project needs, question assumptions, and refactor early to keep tech-debt in check and systems secure.</td></tr></tbody></table></figure>
<p>Speed without judgment can mean:</p>
<ul class="wp-block-list">
<li>Security vulnerabilities that static analysis can’t spot on its own.</li>
<li>Architecture choices that don’t scale beyond the demo.</li>
<li>Documentation drift that leaves humans and models guessing.</li>
</ul>
<p>The remedy? Double down on the fundamentals that AI still can’t master.</p>
<h2 class="wp-block-heading" id="h-mastering-the-fundamentals-3-key-parts-of-your-workflow-to-focus-on-when-using-ai">Mastering the fundamentals: 3 key parts of your workflow to focus on when using AI</h2>
<p>As the home for all developers, we’ve seen it again and again: becoming AI-savvy starts with the old-school basics. You know, the classic tools and features you used before AI became a thing (we know, it’s hard to remember such a time!). We believe that only by mastering the fundamentals can you get the most value, at scale, out of AI developer tools like GitHub Copilot. </p>
<p>A junior developer who jumps into their first AI-assisted project without having a foundational understanding of the basics (like pull requests, code reviews, and documentation) may ship fast, but without context or structure, they risk introducing bugs, missing edge cases, or confusing collaborators. That’s not an AI problem. It’s a fundamentals problem.</p>
<p>Let’s revisit the core skills every developer should bring to the table, AI or not. With the help of a few of our experts, we’ll show you how to level them up so you can dominate in the age of AI.</p>
<h3 class="wp-block-heading" id="h-1-push-for-excellence-in-the-pull-request">1. Push for excellence in the pull request</h3>
<p>At the heart of developer collaboration, pull requests are about clearly communicating your intent, explaining your reasoning, and making it easier for others (humans and AI alike!) to engage with your work.</p>
<p>A well‑scoped PR communicates <em>why</em> a change exists—not just <em>what</em> changed. That context feeds human reviewers and Copilot alike.</p>
<p>As GitHub developer advocate <a href="https://github.com/ladykerr">Kedasha Kerr</a> advises, start by keeping your pull requests small and focused. A tight, purposeful pull request is easier to review, less likely to introduce bugs, and faster to merge. It also gives your reviewers, as well as AI tools like Copilot, a clean scope to work with.</p>
<p>Your pull request description is where clarity counts. Don’t just list what changed—explain <em>why</em> it changed. Include links to related issues, conversations, or tracking tickets to give your teammates the full picture. If your changes span multiple files, suggest where to start reviewing. And be explicit about what kind of feedback you’re looking for: a quick sanity check? A deep dive? Let your reviewers know.</p>
<p>Before you ask for a review, review it yourself. Kedasha recommends running your tests, previewing your changes, and catching anything unclear or unpolished. This not only respects your reviewers’ time, it improves the quality of your code and deepens your understanding of the work.</p>
<p>A thoughtful pull request is a signal of craftsmanship. It builds trust with your team, strengthens your communication skills, and gives Copilot better context to support you going forward. That’s a win for you, your team, and your future self.</p>
<p><strong>Here’s a quick 5‑item PR checklist to reference as you work: </strong></p>
<ol class="wp-block-list">
<li><strong>Scope ≤ 300 lines</strong> (or break it up).</li>
<li><strong>Title = verb + object</strong> (e.g., <em>Refactor auth middleware to async</em>).</li>
<li><strong>Description answers “why now?”</strong> and links to the issue.</li>
<li><strong>Highlight breaking changes</strong> with ⚠️ BREAKING in bold.</li>
<li><strong>Request specific feedback</strong> (e.g., <em>Concurrency strategy OK?</em>).</li>
</ol>
<p>Drop this snippet into <strong><code>.github/pull_request_template.md</code></strong> and merge.</p>
<p><a href="https://github.blog/developer-skills/github/beginners-guide-to-github-creating-a-pull-request/"><em>Learn more about creating a great pull request ></em></a><em> </em></p>
<h3 class="wp-block-heading" id="h-2-rev-up-your-code-reviews">2. Rev up your code reviews</h3>
<p>AI can generate code in seconds, but knowing how to review that code is where real expertise develops. Every pull request is a conversation: “I believe this improves the codebase, do you agree?” As GitHub staff engineer <a href="https://github.com/cheshire137">Sarah Vessels</a> explains, good code reviews don’t just catch bugs; they teach, transfer knowledge, and help teams move faster with fewer costly mistakes.</p>
<p>And let’s be honest: as developers, we often read and review far more code than we actually write (and that’s ok!). No matter if code comes from a colleague or an AI tool, code reviews are a fundamental part of being a developer—and building a strong code review practice is critical, especially as the volume of code increases. </p>
<p>You should start by reviewing your own pull requests before assigning them to others. Leave comments where you’d have questions as a reviewer. This not only helps you spot problems early, but also provides helpful context for your teammates. Keep pull requests small and focused. The smaller the diff, the easier it is to review, debug, and even roll back if something breaks in production. In DevOps organizations, especially large ones, small, frequent commits also help reduce merge conflicts and keep deployment pipelines flowing smoothly. </p>
<p>As a reviewer, focus on clarity. Ask questions, challenge assumptions, and check how code handles edge cases or unexpected data. If you see a better solution, offer a specific example rather than just saying “this could be better.” Affirm good choices too: calling out strong design decisions helps reinforce shared standards and makes the review process less draining for authors.</p>
<p>Code reviews give you daily reps to build technical judgement, deepen your understanding of the codebase, and earn trust with your team. In an AI-powered world, they’re also a key way to level up by helping you slow down, ask the right questions, and spot patterns AI might miss.</p>
<p><strong>Here are some heuristics to keep in mind when reviewing code:</strong></p>
<ul class="wp-block-list">
<li><strong>Read the tests first</strong>. They encode intent.</li>
<li><strong>Trace data flow</strong> for user input to DB writes to external calls.</li>
<li><strong>Look for hidden state</strong> in globals, singletons, and caches.</li>
<li><strong>Ask “What happens under load?”</strong> even if performance isn’t in scope.</li>
<li><strong>Celebrate good patterns</strong> to reinforce team standards.</li>
</ul>
<p><a href="https://github.blog/developer-skills/github/how-to-review-code-effectively-a-github-staff-engineers-philosophy/"><em>Learn more about how to review code effectively ></em></a></p>
<h3 class="wp-block-heading" id="h-3-invest-in-documentation">3. Invest in documentation </h3>
<p>Strong pull requests and code reviews help your team build better software today. But documentation makes it easier to build better software tomorrow. In the AI era, where code can be generated in seconds, clear, thorough documentation remains one of the most valuable—and overlooked—skills a developer can master.</p>
<p>Good documentation helps everyone stay aligned: your team, new contributors, stakeholders, and yes, even AI coding agents (docs make great context for any AI model, after all). The clearer your docs, the more effective AI tools like Copilot can be when generating code, tests, or summaries that rely on understanding your project’s structure. As GitHub’s software engineer <a href="https://github.com/brittanyellich">Brittany Ellich</a> and technical writer <a href="https://github.com/sabrowning1">Sam Browning</a> explain, well-structured docs accelerate onboarding, increase adoption, and make collaboration smoother by reducing back and forth.</p>
<p>The key is to keep your documentation clear, concise, and structured. Use plain language, focus on the information people actually need, and avoid overwhelming readers with too many edge cases or unnecessary details. Organize your docs with the <a href="https://diataxis.fr/">Diátaxis framework</a>, which breaks documentation into four categories:</p>
<ul class="wp-block-list">
<li>Tutorials for hands-on learning with step-by-step guides</li>
<li>How-to guides for task-oriented steps with bulleted or numbered list</li>
<li>Explanations for deeper understanding</li>
<li>Reference for technical specs such as API specs</li>
</ul>
<p>When your docs follow a clear structure, contributors know exactly where to find what they need and where to add new information as your project evolves.</p>
<p>In short: great documentation forces you to sharpen your own understanding of the system you’re building. That kind of clarity compounds over time and is exactly the kind of critical thinking that makes you a stronger developer.</p>
<p><a href="https://github.blog/developer-skills/documentation-done-right-a-developers-guide/"><em>Learn more about how to document your project effectively ></em></a></p>
<h3 class="wp-block-heading" id="h-a-level-up-dev-toolkit">A level‑up dev toolkit</h3>
<p>To make things simple, here’s a skills progression matrix to keep in mind no matter what level you’re at. </p>
<figure class="wp-block-table"><table class="has-fixed-layout"><thead><tr><th><strong>Skill</strong></th><th><strong>Junior</strong></th><th><strong>Mid‑level</strong></th><th><strong>Senior</strong></th></tr></thead><tbody><tr><td>Pull requests</td><td>Describes <em>what</em> changed</td><td>Explains <em>why</em> and links issues</td><td>Anticipates perf/security impact & suggests review focus</td></tr><tr><td>Code reviews</td><td>Leaves 👍/👎</td><td>Gives actionable comments</td><td>Mentors, models architecture trade‑offs</td></tr><tr><td>Documentation</td><td>Updates README</td><td>Writes task‑oriented guides</td><td>Curates docs as a product with metrics</td></tr></tbody></table></figure>
<p><strong>And here are some quick‑wins you can copy today:</strong></p>
<ul class="wp-block-list">
<li><code>.github/CODEOWNERS</code> to auto‑route reviews</li>
<li>PR and issue templates for consistent context</li>
<li>GitHub Skills course: <a href="https://github.com/skills/communicate-using-markdown">Communicating with Markdown</a></li>
</ul>
<h2 class="wp-block-heading" id="h-the-bottom-line">The bottom line</h2>
<p>In the end, AI is changing how we write code, and curiosity, judgment, and critical thinking are needed more than ever. The best developers don’t just accept what AI suggests. They ask why. They provide context. They understand the fundamentals. They think in systems, write with intention, and build with care. </p>
<p>So keep asking why. Stay curious. Continue learning. That’s what sets great developers apart—and it’s how you’ll survive and thrive in an AI-powered future.</p>
<div class="wp-block-group post-content-cta has-global-padding is-layout-constrained wp-block-group-is-layout-constrained">
<p><strong>Want to get started?</strong> <a href="https://github.com/features/copilot/?utm_source=newsletter&utm_medium=social&utm_campaign=copilot_free_launch">Explore GitHub Copilot ></a></p>
</div>
</body></html>
<p>The post <a href="https://github.blog/developer-skills/career-growth/why-developer-expertise-matters-more-than-ever-in-the-age-of-ai/">Why developer expertise matters more than ever in the age of AI</a> appeared first on <a href="https://github.blog">The GitHub Blog</a>.</p>
]]></content:encoded>
<post-id xmlns="com-wordpress:feed-additions:1">89040</post-id> </item>
</channel>
</rss>

If you would like to create a banner that links to this page (i.e. this validation result), do the following:

Download the "valid RSS" banner.
Upload the image to your own server. (This step is important. Please do not link directly to the image on this server.)
Add this HTML to your page (change the image src attribute if necessary):

<a href="http://www.feedvalidator.org/check.cgi?url=https%3A//github.blog/feed/"><img src="valid-rss-rogers.png" alt="[Valid RSS]" title="Validate my RSS feed" /></a>

If you would like to create a text link instead, here is the URL you can use:

http://www.feedvalidator.org/check.cgi?url=https%3A//github.blog/feed/

Home · About · News · Docs · Terms