GitHub Upgrade – 3.9.3

We will be applying the 3.9.3 upgrade patch on Monday, August 21 at 5:00 PM EST.

Some changes have been omitted for brevity. See the complete upgrade notes at GitHub Enterprise:

If you have any questions or concerns, please contact the GitHub Service Team at

Security fixes

  • LOW: An attacker could circumvent branch protection by changing a PR base branch to an invalid ref name. This vulnerability was reported via the GitHub Bug Bounty program.

Bug fixes

  • API results were incomplete, and ordering of results was incorrect if asc or desc appeared in lowercase within the API query.
  • The checks in the merge box for a pull request did not always match the the checks for the most recent commit in the pull request.
  • A collaborator with the “Set the social preview” permission inherited from the “Read” role could not upload the social preview image of a repository.
  • The security settings page for a repository would return an error when enterprise-level runners were assigned to the repository.