GitHub Upgrade – 2.22.0/2.22.1

The 2.22.0 update is a feature update, bringing new functionality and changes. The 2.22.1 update is a bugfix patch addressing several issues from the 2.22.0 release. Note that while Actions, Packages, and Code Scanning are available as Beta Features, we have not opted into the beta for the NC State GitHub Service, and these features will not be available this patch.


  • Pull Request Retargeting – When a pull request’s head branch is merged and deleted, all other open pull requests in the same repository that target this branch are now retargeted to the merged pull request’s base branch. Previously these pull requests were closed.
  • Improved Large Scale Performance – We have revised the approach we take to scheduling network maintenance for repositories, ensuring large monorepos are able to avoid failure states.
  • Suspend and Unsuspend an App Installation – Administrators and users can suspend any GitHub App’s access for as long as needed, and unsuspend the app on command through Settings and the API. Suspended apps cannot access the GitHub API or webhook events. You can use this instead of uninstalling an application, which deauthorises every user.

Security Fixes

  • MEDIUM: ImageMagick has been updated to address DSA-4715-1.
  • Requests from a GitHub App integration to refresh an OAuth access token would be accepted if sent with a different, valid OAuth client ID and client secret than was used to create the refresh token.
  • A user whose LDAP directory username standardizes to an existing GHES account login could authenticate into the existing account.
  • Packages have been updated to the latest security versions.

Bug Fixes

  • A logged in user trying to accept an email invitation could get a 404 Not Found error.
  • If a user navigated to a repository whose name started with “repositories.”, they were redirected to the owner’s “Repositories” tab instead of landing on the repository overview page.
  • Labels in the dashboard timeline did not have enough contrast.
  • Links to GitHub Security Advisories would use a URL with the hostname of the GitHub Enterprise Server instance instead of, directing the user to a nonexistent URL.
  • OAuth refresh tokens would be removed prematurely.
  • The repository Settings page of a repository for a user or organization GitHub Pages sites would fail with a “500 Internal Server Error”.


We will be applying the patch at 5:00 PM EST on Oct 19th.