GitHub has introduced three new features to its Git hosting and npm package registry services. The updates aim to enhance security and improve user experience. Firstly, GitHub has addressed the issue of trust between package providers and users in the npm registry. The new “npm Package Provenance” function, which uses the Sigstore project, generates a document in SLSA format that documents the origin of the code. The document is signed using GitHub’s toolkit, and users can see which commit a package version is based on via the npm web interface.
GitHub’s second update is the release of its “Private Vulnerability Reports” feature, which is designed to help improve the security of open-source projects. The feature lets users report vulnerabilities to project maintainers via private messages, without having to make their email addresses public. The feature was previously in beta but is now available to all users, with an additional option to activate the function across all organization repositories with one click.
Finally, GitHub is introducing a new feature called “rulesets,” which replaces its branch protection rules for organizations. According to GitHub, the new rulesets allow for more flexible authorization controls and make it easier for organizations with numerous repositories to define them centrally. Unlike the previous branch protection rules, which allowed users to control who can perform actions on certain branches, the new rulesets offer more extensive authorization controls.
Overall, the updates demonstrate GitHub’s continued commitment to security and user experience. The company promises to work with other CI/CD providers to extend the “npm Package Provenance” function in the future, and users can already start experimenting with the new “rulesets” feature.
