Anyone Can Access Deleted and Private Repository Data on GitHub

1. private-mirrors

   1 2 163 9.1 TypeScript

   A GitHub App that allows you to contribute upstream using private mirrors of public projects

   

   Hubber here (same username on github.com). We in GitHub's OSPO have been working on an open source GitHub App to address the use case where organizations want to keep a private mirror of an upstream public fork so they can review code and remove IP/secrets/keys that get committed and squash history before any of those changes are made public. Getting a beta release this week, in fact - check it out, I'm curious what yall think about the approach

   https://github.com/github-community-projects/private-mirrors

2. Judoscale

   judoscale.com featured

   Save 47% on cloud hosting with autoscaling that just works. Judoscale integrates with Django, FastAPI, Celery, and RQ to make autoscaling easy and reliable. Save big, and say goodbye to request timeouts and backed-up task queues.

   

3. trufflehog

   2 31 18,733 9.8 Go

   Find, verify, and analyze leaked credentials

   

   It's probably either that they took the picture a while ago, or they were going character by character and accidentally screenshot with one too few.

   https://github.com/trufflesecurity/trufflehog/commit/7bc0b2 https://github.com/trufflesecurity/trufflehog/commit/7bc0b4 https://github.com/trufflesecurity/trufflehog/commit/7bc0b8 https://github.com/trufflesecurity/trufflehog/commit/7bc0b8

4. gitlab

   3 462 - -

   The article is singling out GitHub in the title and for most of the article, only in the very last line they declare that this behavior is a common design flow and not limited to GitHub:

   > Finally, while our research focused on GitHub, it’s important to note that some of these issues exist on other version control system products

   For example, Gitlab only recently solved this: https://gitlab.com/gitlab-org/gitlab/-/issues/408137

   Also, I don't appreciate the fearmongering. Multiple times they repeated statements like how you can "Access Private Repo Data" when it's a rather special case related to forks. They clarify that later but I found these statements repeated in that fashion, whether intentionally or not, very cheap. Especially for a tech blog, where the material itself is good and could stand on its own.

5. dmca

   4 197 5,691 9.9 DIGITAL Command Language

   Repository with text of DMCA takedown notices as received. GitHub does not endorse or adopt any assertion contained in the following notices. Users identified in the notices are presumed innocent until proven guilty. Additional information about our DMCA policy can be found at

   

   According to https://docs.github.com/en/site-policy/content-removal-polic..., even an upstream dmca doesn’t suspend downstream by default, so I would be surprised if downstream dmca suspended upstream.

6. Airflow

   5 187 39,656 10.0 Python

   Apache Airflow - A platform to programmatically author, schedule, and monitor workflows

   

   > Nope, me too. The whole Repo network thing is not User facing at all.

   There are some user-facing parts: You can find the fork network and some related bits under repo insights. (The UX is not great.)

   https://github.com/apache/airflow/forks?include=active&page=...

7. CodeRabbit

   coderabbit.ai featured

   CodeRabbit: AI Code Reviews for Developers. Revolutionize your code reviews with AI. CodeRabbit offers PR summaries, code walkthroughs, 1-click suggestions, and AST-based analysis. Boost productivity and code quality across all major languages with each PR.

   

Suggest a related project