Data


A year of GitHub Desktop on Electron

We announced the public beta of the open source, Electron-built version of GitHub Desktop a year ago, giving the GitHub community a unified GitHub experience for macOS and Windows. With every release, including the version 1.0 in September 2017, we’ve seen more people using GitHub Desktop to improve their workflows. Less than six months after 1.0 was released, more Desktop users were using the Electron-based version than both the classic versions for Mac and Windows combined.

Desktop usage graphic

Since its initial release, we’ve added more features to GitHub Desktop, including support for additional external editors, syntax highlighting support for additional languages, support for adding co-authors to commits, and the ability to view and checkout pull requests from collaborators or forks. Many of these new features were contributions from the open source community.

Starting today, if you’re still using the classic app, you’ll see in-app notifications suggesting an upgrade to the new GitHub Desktop with information on what’s changed. If you are still using GitHub for Mac or GitHub for Windows, or if you’ve never used our desktop apps, try out the new GitHub Desktop.

How security alerts are keeping your code safer

databanner

As more developers draw from existing code libraries to build new tools, tracking changes in dependencies like security vulnerabilities has become more difficult. Since the launch of security alerts last year, we’ve taken an active role in alerting project maintainers of known-vulnerable libraries in RubyGems for Ruby and npm for Javascript. In almost all cases, there’s a new, patched version of the library we can recommend in the alert. Here’s a summary of how security alerts have been used to protect your code so far.

What does “known-vulnerable” mean?

In the security community, there are standardized and shared lists of vulnerabilities. The most comprehensive of these is Common Vulnerabilities and Exposures (CVEs). The security community works together to document vulnerabilities consistently and shares them in this list. GitHub’s security alerts notify you when Ruby and Javascript library vulnerabilities from the list are detected in your repositories.

Security alerts at work

Initially, we took our list of vulnerable libraries and compared it to the dependency graphs of all public repositories. We found over four million vulnerabilities in over 500,000 repositories and displayed an alert to repository admins in their dependency graphs and repository home pages (for Ruby and Javascript).

By December 1 and shortly after we launched, over 450,000 identified vulnerabilities were resolved by repository owners either removing the dependency or changing to a secure version. Since then, our rate of vulnerabilities resolved in the first seven days of detection has been about 30 percent. Additionally, 15 percent of alerts are dismissed within seven days—that means nearly half of all alerts are responded to within a week. Of the remaining alerts that are unaddressed or unresolved, the majority belong to repositories that have not had a contribution in the last 90 days.

In other words, for almost all repositories with recent contributions, we see maintainers patching vulnerabilities in fewer than seven days. With the recent launch of our regular vulnerability digest emails, we’re working to make this even easier for maintainers and security teams.

What’s next

Security alerts are opening the door to new ways we can improve code checking and generation by combining publicly available data with GitHub’s unique data set. And this is just the beginning—we’ve got more ways to help you keep code safer on the way!

Learn more about security alerts

Open source project trends for 2018

Project trends

Last year, GitHub brought 24 million people from almost 200 countries together to code better and build bigger. From frameworks to data visualizations across more than 25 million repositories, you were busy in 2017—and the activity is picking up even more this year. With 2018 well underway, we’re using contributor, visitor, and star activity to identify some trends in open source projects for the year ahead.

ghblog-fastestgrowingcommunities-graphic

Cross-platform development

Some of the projects that experienced the largest growth in activity were focused on cross-platform or web development. For example, Angular/angular-cli had 2.2 times more contributors in 2017 than in 2016. You contributed more, visited more often, and starred projects related to Angular/Angular, Facebook/React, and Electron/Electron. These projects simplify the development process, shortening the time from start to deployment across desktop and mobile platforms.

Deep learning

You’ve also been rallying around deep learning projects. Across multiple industries, artificial intelligence is solving a host of complex and interesting problems. You’ve helped drive that interest by upping your contributions to and visits to projects like Keras-team/Keras and Mozilla/DeepSpeech. TensorFlow/TensorFlow had 2.2 times more visits in 2017 than in 2016, and TensowFlow/models had 5.5 times more visits!

New skills

Your commitment to developing coding skills is unparalleled. You starred projects, many created in 2017, related to learning to code, getting coding jobs, and coding best practices. For example, Chalarangelo/30-seconds-of-code and norvig/pytudes provide code examples in javascript and python respectively to help you brush up on your fluency in these languages. jwasham/coding-interview-university and yangshun/tech-interview-handbook provide resources for how to pass the interview process for software engineering roles. i0natan/nodebestpractices, alibaba/p3c, and thedaviddias/Front-End-Checklist provide best practices for writing code and organizing projects.

Methods

How did we discover these trends? We looked at three different types of activity. First, we identified the top 100 projects that had at least 2,000 contributors in 2016 and experienced the largest increase in contributors in 2017. We also identified the top 100 projects that received the largest increase in visits to the project’s repo in 2017. Finally, we identified the top 100 projects that received the most new stars in 2017. Combining these lists, we categorized projects into broad communities and looked at the communities that were the most represented at the top of the lists.

We were impressed with the range of creative projects that emerged. You scratched the itch to keep track of your favorite NBA teams from the command line while you code, and you still found time to create an Android app for journalists and activists to securely monitor their homes and offices. Well done!

Learn more

If you’d like to see a lot more data covering what the GitHub community was up to from September 2016 through September 2017 including the most forked projects, the most social projects, and the most reviewed projects, check out the report we released at Universe: The State of the Octoverse.

You can also see who top contributors to open source in 2017 were in Felipe Hoffa’s analysis on Medium.

And head over to our redesigned Explore experience to find the latest project collections and trending topics on GitHub.

Explore projects

Introducing security alerts on GitHub

Last month, we made it easier for you to keep track of the projects your code depends on with the dependency graph, currently supported in Javascript and Ruby. Today, for the over 75 percent of GitHub projects that have dependencies, we’re helping you do more than see those important projects. With your dependency graph enabled, we’ll now notify you when we detect a vulnerability in one of your dependencies and suggest known fixes from the GitHub community.

Security Alerts & Suggested Fix

How to start using security alerts

Whether your projects are private or public, security alerts get vital vulnerability information to the right people on your team.

Enable your dependency graph

Public repositories will automatically have your dependency graph and security alerts enabled. For private repositories, you’ll need to opt in to security alerts in your repository settings or by allowing access in the Dependency graph section of your repository’s Insights tab.

Set notification preferences

When your dependency graph is enabled, admins will receive security alerts by default. Admins can also add teams or individuals as recipients for security alerts in the dependency graph settings.

Respond to alerts

When we notify you about a potential vulnerability, we’ll highlight any dependencies that we recommend updating. If a known safe version exists, we’ll select one using machine learning and publicly available data, and include it in our suggestion.

Vulnerability coverage

Vulnerabilities that have CVE IDs (publicly disclosed vulnerabilities from the National Vulnerability Database) will be included in security alerts. However, not all vulnerabilities have CVE IDs—even many publicly disclosed vulnerabilities don’t have them. We’ll continue to get better at identifying vulnerabilities as our security data grows. For more help managing security issues, check out our security partners in the GitHub Marketplace.

This is the next step in using the world’s largest collection of open source data to help you keep code safer and do your best work. The dependency graph and security alerts currently support Javascript and Ruby—with Python support coming in 2018.

Learn more about security alerts

The data science behind topic suggestions

Add topics to repositories

Earlier this year, we launched topics, a new feature that lets you tag repositories with descriptive words or phrases. Topics help you create connections between similar GitHub projects and explore them by type, technology, and other characteristics they have in common.

All public repositories show topic suggestions, so you can quickly tag repositories with relevant words and phrases. These suggestions are the result of some exciting data science work—in particular, a topic extraction framework based on text mining, natural language processing, and machine learning called repo-topix.

Learn more about repo-topix from the Engineering Blog

Topic suggestions close up

Now when you add or reject topics, you’re doing more than keeping projects organized. Every topic will contribute to surfacing connections and inspiring discovery across GitHub. Repository names, descriptions, and READMEs from millions of public projects serve as the very start of an ever-evolving knowledge graph of concepts. Eventually, the graph will map how these concepts relate to each other and to the code, people, and projects on GitHub.

Topics is part of a greater effort to use our public data to make meaningful improvements to how people discover, interact, and build on GitHub. We’ll be sharing more ways that data can improve the way you work at Universe—our flagship product and community conference.

Get tickets to GitHub Universe

Newer

Changelog

Subscribe

Discover new ways to build better

Try Marketplace apps free for 14 days

Learn more