GitHub

Staged publishing for npm shipped as GA, requiring human approval before any package version reaches consumers.¹

npm supply-chain controls tightened. Alongside staged publishing, npm 11.15.0 adds --allow-file, --allow-remote, and --allow-directory flags so teams can restrict installs to registry-only sources.² The existing --allow-git flag will default to none in npm v12.

Copilot cloud agent gained more entry points. One-click fixes for failing Actions jobs landed for Business and Enterprise subscribers — Copilot investigates the failure, pushes a fix, and tags you for review.³ The "Fix with Copilot" button on code review comments now opens a dialog letting you choose direct-to-PR or a new branch, pick the model, and add instructions.⁴ Remote control for Copilot CLI sessions is now generally available on mobile, web, and VS Code, with support for non-GitHub repositories added at GA.⁵

Model routing and availability shifted. Auto model selection in VS Code now weighs real-time health and task complexity — reasoning, code generation, tool orchestration — and gives a 10% discount on the selected model's multiplier.⁶ Gemini 3.5 Flash joined Copilot at a 14x premium multiplier across all plan tiers.⁷ Separately, all Gemini models were removed from Copilot Chat on the web to improve response consistency.⁸

Issue fields reached all organizations. Typed org-level metadata — single select, text, number, and date — now rolls out to every organization in public preview.⁹ Fields are searchable, usable as project columns, and automatable via REST and GraphQL.

Security tooling expanded. Dependabot and code scanning OIDC authentication now covers Cloudsmith and Google Artifact Registry alongside the existing AWS, Azure, and JFrog options.¹⁰ Dependabot will drop Python 3.9 support on June 23, 2026.¹¹

GitHub CLI added gh skill. The new command covers discovery, install, preview, update, and publish of agent skills from GitHub repositories, with GHEC data-residency support shipping in 2.92.0.¹²