Merge branch 'main' into 3814-master-main

content/github/administering-a-repository/about-dependabot-version-updates.md

@@ -22,6 +22,8 @@ When {% data variables.product.prodname_dependabot %} identifies an outdated dep
 
 If you enable security updates, {% data variables.product.prodname_dependabot %} also raises pull requests to update vulnerable dependencies. For more information, see "[About {% data variables.product.prodname_dependabot_security_updates %}](/github/managing-security-vulnerabilities/about-dependabot-security-updates)."
 
+{% data reusables.dependabot.pull-request-security-vs-version-updates %}
+
 {% data reusables.dependabot.dependabot-tos %}
 
 ### Frequency of {% data variables.product.prodname_dependabot %} pull requests

content/github/managing-security-vulnerabilities/about-dependabot-security-updates.md

@@ -22,6 +22,10 @@ The {% data variables.product.prodname_dependabot_security_updates %} feature is
 
 {% endnote %}
 
+You can enable a related feature, {% data variables.product.prodname_dependabot_version_updates %}, so that {% data variables.product.prodname_dependabot %} raises pull requests to update the manifest to the latest version of the dependency, whenever it detects an outdated dependency. For more information, see "[About {% data variables.product.prodname_dependabot %} version updates](/github/administering-a-repository/about-dependabot-version-updates)."
+
+{% data reusables.dependabot.pull-request-security-vs-version-updates %}
+
 ### About pull requests for security updates
 
 Each pull request contains everything you need to quickly and safely review and merge a proposed fix into your project. This includes information about the vulnerability like release notes, changelog entries, and commit details. Details of which vulnerability a pull request resolves are hidden from anyone who does not have access to {% data variables.product.prodname_dependabot_alerts %} for the repository.

content/github/setting-up-and-managing-organizations-and-teams/managing-security-and-analysis-settings-for-your-organization.md

@@ -76,6 +76,8 @@ You can enable or disable features for all repositories. {% if currentVersion ==
    ![Button to enable feature for all the eligible repositories in the organization](/assets/images/enterprise/github-ae/organizations/security-and-analysis-enable-secret-scanning-existing-repos-ghae.png)
    {% endif %}
 
+   {% data reusables.security.displayed-information %}
+
 ### Enabling or disabling a feature automatically when new repositories are added
 
 1. Go to the security and analysis settings for your organization. For more information, see "[Displaying the security and analysis settings](#displaying-the-security-and-analysis-settings)."

content/github/setting-up-and-managing-your-github-user-account/managing-security-and-analysis-settings-for-your-user-account.md

@@ -28,6 +28,8 @@ For an overview of repository-level security, see "[About securing your reposito
 7. Click **Disable FEATURE** or **Enable FEATURE** to disable or enable the feature for all the repositories you own.
   ![Button to disable or enable feature](/assets/images/help/settings/security-and-analysis-enable-dependency-graph.png)
 
+{% data reusables.security.displayed-information %}
+
 ### Enabling or disabling features for new repositories
 
 {% data reusables.user_settings.access_settings %}

data/release-notes/3-0/0.yml

@@ -128,6 +128,7 @@ sections:
     - Juypter Notebook rendering in the web UI may fail if the notebook includes non UTF-8 encoded characters.
     - Dependency graph fails to parse `setup.py` Python manifest files, resulting in HTTP 500 errors in logs. This, combined with the duplicated logging issue, results in increased root volume utilization.
     - A race condition can cause dependency graph database migrations to appear to fail.
+    - Instances with a custom timezone that were upgraded from an earlier release of GitHub Enterprise Server may have incorrect timestamps in the web UI.
 
   deprecations:
     - heading: Deprecation of GitHub Enterprise Server 2.19

data/release-notes/3-0/1.yml

@@ -40,3 +40,4 @@ sections:
     - 'Repository [deploy keys](/developers/overview/managing-deploy-keys) are unable to be used with repositories containing LFS objects.'
     - 'Juypter Notebook rendering in the web UI may fail if the notebook includes non UTF-8 encoded characters.'
     - 'Dependency graph fails to parse `yarn.lock` Javascript manifest files, resulting in HTTP 500 errors in logs.'
+    - 'Instances with a custom timezone that were upgraded from an earlier release of GitHub Enterprise Server may have incorrect timestamps in the web UI.'

data/reusables/dependabot/pull-request-security-vs-version-updates.md

@@ -0,0 +1,4 @@
+When {% data variables.product.prodname_dependabot %} raises pull requests, these pull requests could be for _security_ or _version_ updates:
+
+- {% data variables.product.prodname_dependabot_security_updates %} are automated pull requests that help you update dependencies with known vulnerabilities. 
+- {% data variables.product.prodname_dependabot_version_updates %} are automated pull requests that keep your dependencies updated, even when they don’t have any vulnerabilities. To check the status of version updates, navigate to the Insights tab of your repository, then Dependency Graph, and {% data variables.product.prodname_dependabot %}.

data/reusables/security/displayed-information.md

@@ -0,0 +1,7 @@
+When you enable one or more security and analysis features for existing repositories, you will see any results displayed on {% data variables.product.prodname_dotcom %} within minutes:
+
+- All the existing repositories will have the selected configuration.
+- New repositories will follow the selected configuration if you've enabled the checkbox for new repositories.{% if currentVersion == "free-pro-team@latest" or currentVersion ver_gt "enterprise-server@2.22" %}
+- We use the permissions to scan for manifest files to apply the relevant services.
+- You'll see information on your dependency graph.
+- {% data variables.product.prodname_dotcom %} will generate {% data variables.product.prodname_dependabot_alerts %}{% endif %}{% if currentVersion == "free-pro-team@latest" %} and raise pull requests{% endif %}. 

lib/webhooks/static/dotcom/repository_vulnerability_alert.create.payload.json

@@ -4,9 +4,11 @@
     "id": 91095730,
     "affected_range": ">= 2.0.4, < 2.0.6",
     "affected_package_name": "rack",
+    "fixed_in": "2.0.6",
     "external_reference": "https://nvd.nist.gov/vuln/detail/CVE-2018-16470",
     "external_identifier": "CVE-2018-16470",
-    "fixed_in": "2.0.6"
+    "ghsa_id": "GHSA-hg78-4f6x-99wq",
+    "created_at": "2021-03-01T01:23:45Z"
   },
   "repository": {
     "id": 186853002,

lib/webhooks/static/dotcom/repository_vulnerability_alert.dismiss.payload.json

@@ -4,9 +4,11 @@
     "id": 7649605,
     "affected_range": "0.2.0",
     "affected_package_name": "many_versioned_gem",
+    "fixed_in": "0.2.5",
     "external_reference": "https://nvd.nist.gov/vuln/detail/CVE-2018-3728",
     "external_identifier": "CVE-2018-3728",
-    "fixed_in": "0.2.5",
+    "ghsa_id": "GHSA-jp4x-w63m-7wgm",
+    "created_at": "2017-10-24T00:00:00Z",
     "dismisser": {
       "login":"octocat",
       "id":1,
@@ -28,6 +30,6 @@
       "site_admin":true
     },
     "dismiss_reason": "No bandwidth to fix this",
-    "dismissed_at": "2017-10-25T00:00:00+00:00"
+    "dismissed_at": "2017-10-25T00:00:00Z"
   }
 }