GitHub Upgrade – 2.21.2

Due to issues with the package from GitHub, the 2.21.0 release was pulled, and we missed 2.21.1 while waiting for the archive and removal process to complete, so we’re jumping straight to 2.21.2. All features and changes from 2.21.0 and 2.21.1 are included in the 2.21.2 patch, and this post will highlight features and changes from all three.

GitHub 2.21 Features


  • The web notifications interface, including new states , filters and shortcuts have been updated.
  • The push protected branch wording has been updated to clarify that admins can always push and that users with the Maintain role can push when status checks pass.
  • Prevent blank commit when suggestion is identical to original text.
  • Pagination is supported as a way to get more files in the diff associated with a commit via the REST API.
  • Automatic base retargeting will happen after manual head reference cleanup for a merged pull request.
  • SVG files are handled as text and as images in the diff viewer.
  • The “auto delete branches on merge” setting can be set when creating and updating repositories using the REST API.
  • A new endpoint has been added to delete a deployment through the REST API.
  • The Pages log shows the user login accessing the GitHub Pages site.
  • Enterprise members can see all of the organizations they belong to as part of their Enterprise account from one view by navigating to https://[ghes-hostname]/enterprises/[account-name].
  • REST API support for triage and maintain roles has been expanded.
  • A user can create and share search queries that resolve to the current user by using the @me search syntax.
  • New issue template configuration options have been added.
  • Improved visibility of pull requests and issue references in the issue sidebar, issue cards and issue list.
  • Users can filter and search by linked:pr or linked:issue.
  • A user can compare tags between two releases to determine what changes have been made on the releases page.
  • Outdated comments are no longer collapsed by default on the Pull Request timeline. They can be collapsed by resolving the thread.

Security Fixes

An improper access control vulnerability was identified in the GitHub Enterprise Server API that allowed an organization member to escalate permissions and gain access to unauthorized repositories within an organization. This vulnerability affected all versions of GitHub Enterprise Server prior to 2.21. We have issued CVE-2020-10516 in response to this issue. The vulnerability was reported via the GitHub Bug Bounty program.

  • Updated nginx to 1.16.1 and addressed CVE-2019-20372.
  • Packages have been updated to the latest security versions.

Notable Bug Fixes

  • If a user with push access minimized another user’s comment, the author of the comment could unminimize it even if they had insufficient privileges.
  • Users could accidentally merge to master from the issue template editor and blob editor.
  • The gist avatar for the current user would link to a non-existent URL.
  • The organization repositories tab count did not include internal repositories.
  • Clicking the “Show All Teams” button when transferring a repository caused a 500 error.
  • Long filenames could cause overflow issues when showing the ‘Changed since last view’ label or the ‘Show rich’ diff toggle on the diff file view.
  • Hovercards for organization teams misreported their member size.
  • The pull request review comment popup window had a scrolling issue.
  • A timeout could be triggered on the releases index page for repositories with thousands of draft pull requests.
  • It was not possible to filter pull requests by both state and draft at the same time.
  • If a pull request changed a submodule pointer, then clicking “Edit file” on that submodule file from the “Files changed” tab of the pull request page caused a 404 error.
  • It was not possible to add users to an organization, or delete the organization, following the bulk removal of all users and admins from that organization.
  • Review comments against files containing diacritics and non-Latin characters in the filename on the “Files changed” page would disappear when the page is reloaded.
  • The state of the “Viewed” checkbox was not retained for files containing diacritics and non-Latin characters in the filename on the “Files changed” page.
  • Pull requests showed the “Approved” badge when not all required reviews were in place.
  • The tag dropdown was empty when searching for a tag in repositories with more than 100 tags.
  • Pull request pages showing annotations with non UTF-8 titles could encounter encoding errors in view rendering.
  • A race condition for refresh on the OAuth page could cause a redirect to be executed twice.
  • The “Personal Access Tokens” page would timeout if there are more than 10 tokens.
  • The repository permission hash from the REST API indicated no access for business members who have pull access to internal repositories.
  • Rapid reuse of webhook source ports resulted in rejected connections.
  • Internal repositories were not correctly included in search results for SAML-enabled orgs.

We will be upgrading to 2.21.2 at 5:00 PM EST on July 20th.