Happy second birthday to

Happy birthday,!

As we celebrate’s second birthday, it seems like just yesterday Alvand Salehi was introducing from the main stage at GitHub Universe. But now two years and over 5,200 projects later, (and the Federal Source Code policy that created it) are starting to hit their stride. I wanted to take this opportunity to highlight some of the exciting government projects currently on GitHub, and dive into the data around how the government community uses GitHub to collaborate. Like the team says, “[we] believe in innovation, and are passionate in making these open source projects all available to you.”

Government and open source

Out of the 4,800 publicly accessible government projects on, more than 3,600 (or 75 percent) are hosted on This makes sense, as the majority of the world’s open source already on GitHub. However, it’s also a pretty big deal. Government agencies like NASA and the U.S. Army are using GitHub to share their tools and resources with the greater open source community around the world. Take NASA’s 3D Resources project, for example.

Interested in textures, models, and images from NASA itself? The NASA-3D-Resources repository has it all, including pictures of earth from the Apollo missions and models of the satellite used in the Clementine mission.

You can’t 3D print your own Mars rover—yet. But with contributors like the NASA Jet Propulsion Laboratory and NASA Goddard Space Flight Center, “yet” may definitely be the operative word.

Another exciting government project is ZFS, a file system released by the Department of Energy that runs specifically on Linux. This open source project has not only been embraced by other agencies, but has been adopted by private companies as part of their day-to-day operations.

Notable adopters of ZFS on Linux include GE Healthcare Systems, Intel, and Netflix. As for the Lawrence Livermore National Laboratory (LLNL)—the research facility answering to the Department of Energy and those behind this OSS—they continue to utilize ZFS, and continue to develop and improve the platform. LLNL is working closely with Intel to use a variation of ZFS-ZFS+Lustre—to manage the first planned U.S. exascale system, Aurora. Aurora is capable of a billion-billion calculations per second. (Yes, a billion-billion.) Aurora is slated for 2021 at Argonne National Lab.

How the government community uses GitHub

Aside from how the government is sharing projects, we also took a look at the numbers to find out how the community is using GitHub to collaborate on these projects.

Top 10 projects by stars

Ranking Project #
1 nasa/openmct 5282
2 USArmyResearchLab/Dshell 5098
3 scipy/scipy 5079
4 nasa/NASA-3D-Resources 1422
5 GSA/data 1353
6 GSA/ 1278
7 Code-dot-mil/ 1229
8 openscenegraph/OpenSceneGraph 1177
9 WhiteHouse/petitions 1777
10 NREL/api-umbrella 1172

Top 10 projects by forks

Ranking Project #
1 scipy/scipy 2556
2 USArmyResearchLab/Dshell 1164
3 openscenegraph/OpenSceneGraph 720
4 nasa/openmct 585
5 spack/spack 539
6 lammps/lammps 534
7 idaholab/moose 460
8 WhiteHouse/petitions 373
9 GSA/ 356
10 materialsproject/pymatgen 309

Top 10 projects by watchers

Ranking Project #
1 USArmyResearchLab/Dshell 673
2 scipy/scipy 312
3 GSA/ 251
4 nasa/openmct 233
5 nasa/NASA-3D-Resources 220
6 WhiteHouse/petitions 214
7 openscenegraph/OpenSceneGraph 201
8 18F/api-standards 173
9 nsacyber/Windows-Secure-Host-Baseline 172
10 Code-dot-mil/ 169

Top 10 projects by contributors

Ranking Project #
1 scipy/scipy 669
2 trilinos/Trilinos 197
3 SchedMD/slurm 162
4 18F/ 139
5 Kitware/ParaView 136
6 GSA/wordpress-seo 119
7 department-of-veterans-affairs/vets-website 116
8 idaholab/moose 114
9 materialsproject/pymatgen 113
10 petsc/petsc 113

And more

Our top 10 findings are just a few examples of how government projects use GitHub. Looking deeper into the data can tell us even more about how they contribute to the entire open source community. With thousands on thousands of commits, many have sparked the attention of both the public and private sector:

  • From the Environmental Protection Agency, WNTR (pronounced “winter”) is a Python package designed to simulate and analyze resilience of water distribution networks.
  • The Department of Transportation’s ITS ODE offers real-time data to a network of vehicles, infrastructure, and traffic management centers, providing logistics to subscribing transportation management applications and other similar devices.
  • Then there is Walkoff, from the National Security Agency, enabling security teams to automate and integrate apps, workflows, and analytics tools.

This is what is all about. All of the government projects we’ve mentioned in this post are designated as open source. That means that you can access a repo, test, debug, submit pull requests, or download your own copy and adapt it for your own use.

As the team has shared with us, they believe in innovation and providing everyone the opportunity to perform a civic duty on a digital platform. They’re passionate about making these open source government projects available for all. This spirit is embodied in their hashtag, seen often on their Twitter account: #CodeOn. The invitation to reach out to them on Twitter or LinkedIn is always open, and we highly encourage you to do so.

Want to learn more about Follow them on Medium and Twitter. You can also see what else GitHub is doing to help governments across the country and around the world.

Open source helps people create new and exciting things every day—including the code we used to collect data for this post. Check it out here.

Thank you for 100 million repositories

Thank you for 100M repos

Today we reached a major milestone: 100 million repositories now live on GitHub. Powering this number is an incredible community. Together, you’re 31 million developers from nearly every country and territory in the world, collaborating across 1.1 billion contributions.

Repositories are where you store code, but they represent much more: ideas, experiments, curiosity, and moments of inspiration. To celebrate, let’s take a look at a few trends and achievements, a core sample of what’s possible when we work together by the millions.

What’s behind 100 million?

To put this milestone into perspective, we totaled only about 33,000 repositories in 2008. Today, we’re seeing an average of 1.6 repositories created every second. In fact, nearly one third of all repositories were created in the last year alone—all thanks to the developers who choose to host, build, and share their work on GitHub.

Over the last 10 years, it’s been a pleasure to watch impactful projects build and grow on GitHub. Rails moved to Git and GitHub while the platform was still in private beta, and Node.js launched on GitHub in 2009. Since then, we’ve also had the opportunity to host Swift, .NET, and Python. Supported by thousands of contributors, these projects are raising the bar for how developer tools evolve and engage with their communities.

Just this year, we’ve seen countless projects take off, started by individuals and larger teams alike. Projects like Definitely Typed, Godot, Kubernetes, PyTorch, and more climbed our lists of top and fastest growing projects.

Top open source projects

Projects on this year’s lists have a theme: they make it easier to build software, whether through code editing, automation, containerization, or documentation.

Top OS projects in 2018

Fastest growing open source projects

In the last year, we saw trends in growth of projects related to machine learning, game development, 3D printing, home automation, data analysis, and full-stack JavaScript development.

Fastest growing OS projects in 2018

This year, the open source repositories you’ve created span thousands of topics, but these are the ones you contributed to the most:

Top topics tagged in 2018

Topics in front and backend JavaScript, machine learning, mobile app development, and containerization represent some of the most powerful trends in open source software in the last 12 months. In 2017, topics like “game”, “deep learning”, and “library” were also trending.

Where repositories are created

GitHub started with a small group of developers looking to solve a specific problem—now it’s home to a global open source community. And we’re seeing the proportion of open source contributors outside the U.S. grow every year.

Contributors from the US and outside of the US

As a continent, more repositories are coming from Asia than anywhere else in the world. More specifically, repository creation has picked up across Central Asia, the Middle East, and Africa. While there’s an increase in repositories from developed countries, we’re seeing the same trend in emerging countries as new tech communities grow and new technologies becoming more accessible.

Developers in Egypt, in particular, created twice as many public and private repositories this year. And in Nigeria, a growing developer community created 1.7x more open source repositories in 2018 than in 2017. To see why we think Nigeria has a tech community to watch, read our latest post on the region.

Fastest growing countries by repositories created (as of September 30)

Fastest growing countries by repos created

Fastest growing countries by open source repositories created (as of September 30)

Fastest growing countries by open source repos created

Thank you

After 10 years and 100 million repositories, we’re only just getting started. Thanks to our users, we’re building something bigger than any single repository or project—a community that’s pushing software forward in tangible ways. So thank you for building with us now and in the years to come. We can’t wait to see what you build together in the next 100 million.

Interested in seeing more insights into the GitHub community? Check out this year’s State of the Octoverse report.

Octoverse regional spotlight on Nigeria

Regional spotlight: Nigeria

This article is the first in a series based on The State of Octoverse—trends and insights into GitHub activity, the open source community, and more from the GitHub Data Science Team.

In February, we reflected on a trip to Nigeria and everything we learned about its growing tech community. Economic changes, expanding educational opportunities, and wider internet access are mobilizing a talented and entrepreneurial community. And together, they’re pushing software forward in Africa’s largest economy.

A growing developer community

On our trip, we saw this changing landscape close up at packed meetups and student groups. In our 2018 Octoverse Report, the numbers were clear. Across several measures, the developer community in Nigeria is growing fast. In 2018 alone, we’ve seen:

  • 1.6x more developers contributing on GitHub.* Nigeria represents the fourth fastest growing developer community on GitHub with 1.6x as many contributors in 2018 than in 2017.
  • 2.1x more organizations. Nigeria is high on our list of fastest growing countries by organizations created with 2.1x more organizations created this year than last year.
  • 1.8x more repositories and 1.7x more open source repositories. Nigeria also made our list of fastest growing countries by repositories created, nearly doubling the number of projects they’re collaborating on.

To learn more about our data and methodologies, check out this year’s State of the Octoverse.

*We define contributors broadly as any user taking a substantive action on GitHub (pushed code, opened an issue, or merged a pull request, for example) that added new content to the platform in a public or private repository.

Growth behind the numbers

An important startup ecosystem

Behind our numbers is a young, growing community excited about software development and its potential to address some of the challenges Nigeria faces today. With excitement and opportunity comes an expanding startup ecosystem and the venture capital, accelerators, training programs, and hubs to support it.

Nigerian startups are growing accordingly across industries. The fintech industry is booming in particular, as a result of a changing financial landscape. According to Stephen O’Grady, Principal Analyst at Red Monk:

In 2016 and 2017, 42 percent of Nigerians had access to traditional financial services, which has lead to growth in projects that have tried to bring these to the Nigerian population. Without existing infrastructure, they have the opportunity to take the next step forward.

Nigeria still relies heavily on cash, but fintech companies like AmplifyPay, Paga, and PayStack (which you can find on GitHub) are streamlining the way people bank and gaining tens of thousands of individual and business users. With millions of dollars raised, these companies underscore an investment trend that has spread across African tech ecosystems, reaching a high of $195 million in 2017 alone. These startups have also spurred local developers to build an ecosystem of applications and integrations.

A supportive student community

Through GitHub Education and our global group of Campus Experts, we’ve had the opportunity to support Nigerian students building tech communities that train and mentor new developers within their schools. So far, we’ve watched local Campus Experts create summer coding camps for women, host and speak at national software summits with 1,000+ attendees, organize open source meetups, and more.

Learn more about our Campus Experts program

We’re excited to see what Nigeria’s growing developer community builds on GitHub into 2019 and beyond. Want to learn more? GitHub Data Scientist Anna Filippova and Red Monk Principal Analyst Stephen O’Grady chatted about why Nigeria is trending in a recent GitHub Universe session.

Stay tuned for more posts that dive into data on the GitHub Blog—or check out The State of the Octoverse to see what a community of 31 million developers can accomplish in a year.

Suggested changes—what we've learned so far

Two weeks ago we released suggested changes, a feature that allows you to suggest changes to code in a pull request. Once changes are suggested, the author or assignees can accept (and commit) suggestions with the click of a button.


A code review comment before suggested changes


A code review comment with a suggested change

Since its release, more than 10 percent of all reviewers suggested at least one change, totaling over 100,000 suggestions—and nearly four percent of all review comments created included a suggestion. Based on these early numbers, we see you’re quick to adopt suggested changes and make them a natural part of your code review workflow.

Between the number of suggestions created and the feedback we received from over 2,500 people who have used the feature, you’ve helped us understand what we can improve moving forward.

By far the most frequent requests were:

  1. The ability to suggest changes to multiple lines at once.
  2. The ability to accept multiple changes in a single commit.

We want to make suggested changes the best feature it can possibly be. Your feedback is valuable and will inform our next steps. Until then, we encourage you to try out suggested changes and tell us what you think.

Git Submodule Vulnerability Announced

  • Oct 05, 2018
  • peff peff
  • Announcements

The Git project has disclosed CVE-2018-17456, a vulnerability in Git that can cause arbitrary code to be executed when a user clones a malicious repository. Git v2.19.1 has been released with a fix, along with backports in v2.14.5, v2.15.3, v2.16.5, v2.17.2, and v2.18.1. We encourage all users to update their clients to protect themselves.

Until you’ve updated, you can protect yourself by avoiding submodules from untrusted repositories. This includes commands such as git clone --recurse-submodules and git submodule update.

Affected products

GitHub Desktop

GitHub Desktop versions 1.4.1 and older included an embedded version of Git that was affected by this vulnerability. We encourage all GitHub Desktop users to update to the newest version (1.4.2 and 1.4.3-beta0) available today in the Desktop app.


Atom included the same embedded Git and was also affected. Releases 1.31.2 and 1.32.0-beta3 include the patch.

Ensure you’re on the latest Atom release by completing any of the following:

  • Windows: From the toolbar, click Help -> Check for Updates
  • MacOS: From the menu bar, click Atom -> Check for Update
  • Linux: Update manually by downloading the latest release from

Git on the command line and other clients

In order to be protected from the vulnerability, you must update your command-line version of Git, and any other application that may include an embedded version of Git, as they are independent of each other.

Additional notes

Neither nor GitHub Enterprise are directly affected by the vulnerability. However, as with previously discovered vulnerabilities, will detect malicious repositories, and will reject pushes or API requests attempting to create them. Versions of GitHub Enterprise with this detection will ship on October 9.

Details of the vulnerability

This vulnerability is very similar to CVE-2017-1000117, as both are option-injection attacks related to submodules. In the earlier attack, a malicious repository would ship a .gitmodules file pointing one of its submodules to a remote repository with an SSH host starting with a dash (-). The ssh program—spawned by Git—would then interpret that as an option. This attack works in a similar way, except that the option-injection is against the child git clone itself.

The problem was reported on September 23 by @joernchen, both to Git’s private security list, as well as to GitHub’s Bug Bounty program. Developers at GitHub worked with the Git community to develop a fix.

The basic fix was clear from the report. However, due to to the similarity to CVE-2017-1000117, we also audited all of the .gitmodules values and implemented stricter checks as appropriate. These checks should prevent a similar vulnerability in another code path. We also implemented detection of potentially malicious submodules as part of Git’s object quality checks (which was made much easier by the infrastructure added during the last submodule-related vulnerability).

The coordinated disclosure date of October 5 was selected by Git developers to allow packagers to prepare for the release. This also provided hosting sites (with custom implementations) ample time to detect and block the attack before it became public. Members of the Git community checked the JGit and libgit2 implementations. Those are not affected by the vulnerability because they clone submodules via function calls rather than separate commands.

We were also able to use the time to scan all repositories on GitHub for evidence of the attack being used in the wild. We’re happy to report that no instances were found (and now, with our detection, none can be added).

Please update your copy of Git soon, and happy cloning!




Discover new ways to build better

Try Marketplace apps free for 14 days

Learn more