In early September, we released a new extension to the Visual Studio Marketplace that supports GitHub pull requests. On October 17, day two of GitHub Universe, we’ll share the stage with the Visual Studio Code Team at Microsoft to give you updates and insight into how we are building the extension during our talk Cross Company Collaboration: Extending GitHub to a New IDE.

GitHub’s dedication to developers

We design GitHub for developer experience—so you can effectively collaborate and build great software. To bring you a user-friendly experience that invites novice and seasoned developers alike, it’s important we identify new opportunities. We’ve been working since 2015 to provide a GitHub experience that meets you where you spend the majority of your time: in your editor.

GitHub for .NET developers

As .NET developers writing in Visual Studio, we recognized a large gap in the ability to collaborate in this environment. In 2015, we brought all Visual Studio developers an extension that supports GitHub.com and GitHub Enterprise engagements within the editor. And today, you can complete an entire pull request review without ever leaving Visual Studio.

GitHub for the Atom community

Not a .NET developer on Windows? No problem! We also support a first class Git and GitHub experience for Atom developers. Access basic Git operations like staging, commiting, and syncing, alongside more complex collaboration with the recently-released pull request experience.

GitHub for game developers

Unity game developers can now use Git within Unity for the first time to clone and sync with GitHub.com and lock files, including large assets that game developers often have in their projects.

GitHub and Visual Studio Code

In Winter 2017 we started planning our integration with VS Code after seeing how it influenced developers around the world. With a basic pull request experience in both Visual Studio and Atom, we knew we wanted to start with that level of collaboration.

In Spring 2018, we reached out to the VS Code Team and discovered that, since they were building VS Code on GitHub, they felt they were missing that collaboration piece in their editor.

VS Code developers now have the first iteration of a pull request review experience within VS Code. With a small group of people, we launched the public preview of the GitHub Pull Request Extension in September 2018.

This new extension gives developers the ability to:

• Authenticate with GitHub within VS Code (for GitHub.com and GitHub Enterprise)
• List pull requests associated with your current repository, view their description, and browse the diffs of changed files
• Validate pull requests by checking them out and testing them without having to leave VS Code

Thanks to Kenneth Auchenberg (Microsoft), Rachel Macfarlane (Microsoft), Kai Maetzel (Microsoft), Peng Lyu (Microsoft), Sarah Guthals (GitHub), Andreia Gaita (GitHub), and Ashi Krishnan (GitHub) for your continued work on this extension. :sparkles:

Meet us at GitHub Universe

Want to learn more? Join us at GitHub Universe 2018 on October 17 at 10:15am. We’ll demo the extension for you, give you an update on what we’re releasing next, and show you how you can contribute. If you can’t make it to San Francisco in time, tune into the livestream on githubuniverse.com.

Connect with us

As always, you can reach out to the Editor Tools Team by tweeting at (@githubvscode) or joining the conversation in our open source repository. And if you’d like to participate in usability studies around our extension, we invite you to fill out a short survey.

If you’re interested in the any of the extensions mentioned in this post, check out previous posts or drop into our GitHub for Visual Studio, GitHub for Atom, and GitHub for Unity repositories.

Last year, we released security alerts that track security vulnerabilities in Ruby and JavaScript packages. Since then, we’ve identified more than four million of these vulnerabilities and added support for Python. In our launch post, we mentioned that all vulnerabilities with CVE IDs are included in security alerts, but sometimes there are vulnerabilities that are not disclosed in the National Vulnerability Database. Fortunately, our collection of security alerts can be supplemented with vulnerabilities detected from activity within our developer community.

Leveraging the community

There are many places a project can publicize security fixes within a new version: the CVE feed, various mailing lists and open source groups, or even within its release notes or changelog. Regardless of how projects share this information, some developers within the GitHub community will see the advisory and immediately bump their required versions of the dependency to a known safe version. If detected, we can use the information in these commits to generate security alerts for vulnerabilities which may not have been published in the CVE feed.

On an average day, the dependency graph can track around 10,000 commits to dependency files for any of our supported languages. We can’t manually process this many commits. Instead, we depend on machine intelligence to sift through them and extract those that might be related to a security release.

For this purpose, we created a machine learning model that scans text associated with public commits (the commit message and linked issues or pull requests) to filter out those related to possible security upgrades. With this smaller batch of commits, the model uses the diff to understand how required version ranges have changed. Then it aggregates across a specific timeframe to get a holistic view of all dependencies that a security release might affect. Finally, the model outputs a list of packages and version ranges it thinks require an alert and currently aren’t covered by any known CVE in our system.

Always quality focused

No machine learning model is perfect. While machine intelligence can sift through thousands of commits in an instant, this anomaly-detection algorithm will still generate false positives for packages where no security patch was released. Security alert quality is a focus for us, so we review all model output before the community receives an alert.

Learn more

Interested in learning more? Join us at GitHub Universe next week to explore the connections that push technology forward and keep projects secure through talks, trainings, and workshops. Tune in to the blog October 16-17 for more updates and announcements.

The Git project has disclosed CVE-2018-17456, a vulnerability in Git that can cause arbitrary code to be executed when a user clones a malicious repository. Git v2.19.1 has been released with a fix, along with backports in v2.14.5, v2.15.3, v2.16.5, v2.17.2, and v2.18.1. We encourage all users to update their clients to protect themselves.

Until you’ve updated, you can protect yourself by avoiding submodules from untrusted repositories. This includes commands such as git clone --recurse-submodules and git submodule update.

Affected products

GitHub Desktop

GitHub Desktop versions 1.4.1 and older included an embedded version of Git that was affected by this vulnerability. We encourage all GitHub Desktop users to update to the newest version (1.4.2 and 1.4.3-beta0) available today in the Desktop app.

Atom

Atom included the same embedded Git and was also affected. Releases 1.31.2 and 1.32.0-beta3 include the patch.

Ensure you’re on the latest Atom release by completing any of the following:

• Windows: From the toolbar, click Help -> Check for Updates
• MacOS: From the menu bar, click Atom -> Check for Update
• Linux: Update manually by downloading the latest release from atom.io

Git on the command line and other clients

In order to be protected from the vulnerability, you must update your command-line version of Git, and any other application that may include an embedded version of Git, as they are independent of each other.

Additional notes

Neither GitHub.com nor GitHub Enterprise are directly affected by the vulnerability. However, as with previously discovered vulnerabilities, GitHub.com will detect malicious repositories, and will reject pushes or API requests attempting to create them. Versions of GitHub Enterprise with this detection will ship on October 9.

Details of the vulnerability

This vulnerability is very similar to CVE-2017-1000117, as both are option-injection attacks related to submodules. In the earlier attack, a malicious repository would ship a .gitmodules file pointing one of its submodules to a remote repository with an SSH host starting with a dash (-). The ssh program—spawned by Git—would then interpret that as an option. This attack works in a similar way, except that the option-injection is against the child git clone itself.

The problem was reported on September 23 by @joernchen, both to Git’s private security list, as well as to GitHub’s Bug Bounty program. Developers at GitHub worked with the Git community to develop a fix.

The basic fix was clear from the report. However, due to to the similarity to CVE-2017-1000117, we also audited all of the .gitmodules values and implemented stricter checks as appropriate. These checks should prevent a similar vulnerability in another code path. We also implemented detection of potentially malicious submodules as part of Git’s object quality checks (which was made much easier by the infrastructure added during the last submodule-related vulnerability).

The coordinated disclosure date of October 5 was selected by Git developers to allow packagers to prepare for the release. This also provided hosting sites (with custom implementations) ample time to detect and block the attack before it became public. Members of the Git community checked the JGit and libgit2 implementations. Those are not affected by the vulnerability because they clone submodules via function calls rather than separate commands.

We were also able to use the time to scan all repositories on GitHub for evidence of the attack being used in the wild. We’re happy to report that no instances were found (and now, with our detection, none can be added).

Please update your copy of Git soon, and happy cloning!

As the seventh annual js13kGames competition comes to a close, a grand total of 274 games were submitted. Even more impressive, each one was created in a single month, using less than 13 kB.

We rounded up a few of our favorites featuring a number of different styles and genres. From dark shooters and pixelated beat ‘em ups to perplexing puzzle and platform games—enjoy some downtime this weekend and play them all (or fork and hack on them with your own customizations)!

UNDERRUN

UNDERRUN is a twin, stick shooter “in 256 shades of brown,” using webGL from @phoboslab. In this game, you must defend yourself from predators while figuring out how to restore power to fix all system failures. Sounds simple enough, right? See for yourself when you play this highly-addictive shooter (and enjoy the haunting music). Read more about how the game was created in the retrospective.

► Play in your browser · View source

Envisionator

@DennisBengs created the challenging puzzle game, Envisionator. The goal of the game is to escape a building on lockdown by giving a robot commands. What’s the catch? The robot needs you to give it each and every direction, step by step—one false move, and…well, you’ll see! Play Envisionater to see if you can escape.

► Play in your browser · View source

ONOFF

Things aren’t as black and white as they appear in ONOFF. Dodge spikes, jump over pits, and toggle between dimensions. Think you can overcome each level of traps? You’re in for a treat with this mind-boggling, fast-paced platformer from @starzonmyarmz and @braddunbar. Play it to see what we mean!

► Play in your browser · View source

The Chroma Incident

The Chroma Incident by @Rybar is also a twin, stick shooter but with a few more colors than UNDERRUN. The problem is the color’s been stolen by the Achromats, and it’s up to you to bring it back. Shoot your way through areas to reclaim those colors—give it a go!

► Play in your browser · View source

The Matr13k

Get nostalgic and relive some of the intense fight scenes with Neo from The Matrix. Use the arrow keys, S to kick and D punch your way through this JavaScript matrix from @agar3s. Can you find a way to the end of the rabbit hole before it’s too late? Play The Matri13k and test your combat skills.

► Play in your browser · View source

1024 moves

Not to be confused with 2048(!), 1024 Moves is a polished puzzle game from @GregPeck. Get the ball, and avoid the holes—what’s the catch? See if you can solve the entire game in less than 1,024 moves. Play and test your problem-solving skills.

► Play in your browser · View source

Geoquiz 2

Think you know a little bit about world geography? Or are you lost with even the simplest of directions? Prove how much of a geography all-star you are by playing Geoquiz2—or brush up on your worldly knowledge. You can even read about how @xem made the game in the GeoQuiz2 retrospective.

► Play in your browser · View source

Spacecraft

@tricsi’s Spacecraft challenges you to collect as many data tokens as possible from the planets and moons of the Solar System. It’s easy—until gravity accelerates your ship, and you have to avoid obstacles along the way in, “space, the final frontier.” How far can you go before your probe goes offline? The only way to find out is to play on.

► Play in your browser · View source

Off the line

How are your gaming reflexes? You’ll quickly find out when you jump Off the Line to collect coins in this arcade tapper from @regularkid. Take your time to figure out the best way to collect coins, or go crazy with a timed, ultra difficult ULTRA MEGA MODE (if you’re feeling lucky). Play it and see how many coins you can collect.

► Play in your browser · View source

Exo

You are the commander of a long-forgotten expedition to a distant star, and there are forces out to get you. Survive waves upon wave of enemies in Exo, a space-based tower defence game brought to you by @scorp200. Play Exo to unravel the story, arm your base, and reclaim your expedition.

► Play in your browser · View source

Everyone’s Sky

You are in control of your destiny in this space-based exploration game. Will you fight for the good of all or make enemies by being evil? Forge alliances, study star systems, fight against enemy combatants, and more in Everyone’s Sky from @remvst.

► Play in your browser · View source

Submersible Warship 2063

In @herebefrogs’s Submersible Warship 2063, enemy submarines are invading, fast. Make strategic use of your sonar to identify targets and evade torpedoes. Can you beat them before they beat you? Stay off enemy radar, and fight on by playing Submersible Warship 2063.

► Play in your browser · View source

Re-wire

If you enjoy playing high-stakes puzzles, Re-wire was made for you. Bring the system back online by rewiring power nodes, but watch out for the traps! This game from @JMankopf will have you… wired to it for hours.

► Play in your browser · View source

This was such a difficult list to narrow down, as we enjoyed playing all of the JS13K entries. There are hundreds more to discover including a procedurally generated art game, an audio surfing game, and even a 13kB Battle Royale game—watch out PUBG and Fortnite!

View this year’s list of games from 13kGames

Do you have a favorite, a high score, or a fork of your own to share? We’d love to hear about it! Let us know with the #js13k hashtag.

Thank you to everyone who participated, all of the judges, and especially @end3r for running this great competition every year. Until next time! <3

It’s important to us that our users can work the way they want to. For this reason, we’ve built a new integration with Jira allowing software teams to connect their code on GitHub.com to their projects on Jira Software Cloud. The new app updates Jira with data from GitHub, providing your team with visibility into the status of your work. From planning and coding through deployment and measuring impact—this integration provides a more seamless experience.

See the details

Linking your GitHub account to Jira gives your team the ability to see their branches, commit messages, and pull requests right in the context of the Jira tickets they’re working on. You can also view references to Jira in GitHub issues, and pull requests, allowing for a deeper connection. This means you don’t have to constantly switch between GitHub and Jira.

Improved capabilities

The new GitHub-managed app provides improved security, and everything—from installation to setup—is now much easier.

With the improved integration you can:

• Use smart commits to update the status, leave a comment, or log time without leaving your command line or GitHub
• View associated pull requests, commits, and branches from within a Jira ticket
• Search for Jira issues based on related GitHub information, such as open pull requests
• See the status of development work from within Jira projects
• Automatically keep your Jira issue up to date while working in GitHub (through workflow triggers)

Migration path information

The previous version of the Jira integration will be deprecated in favor of this new GitHub-maintained integration. When you install the new app, your Jira Issue data will migrate from GitHub. When the migration is complete, the legacy integration (DVCS connector) is disabled automatically.

Open platform commitment

The integration was built with publicly-available APIs used by other apps in the GitHub ecosystem. In the next month, you’ll be able to contribute code, submit feature requests or bug reports, and learn more about how the app works.

Get started

Install the Jira Software and GitHub app to connect your GitHub repositories to your Jira instance. Check back for updates on an upcoming enterprise version of the Jira Cloud and GitHub integration.