今日已更新 80 条资讯 | 累计 20052 条内容
关于我们

标签:#git

找到 1079 篇相关文章

AI 资讯

GitHub's AI agent can be tricked into leaking private repos via a public Issue

GitHub recently launched Agentic Workflows — GitHub Actions combined with an AI agent backed by Claude or GitHub Copilot, writing workflows in plain Markdown. Noma Labs' first question after launch was the obvious one: what happens when the agent reads something it shouldn't trust? The answer: it leaks private repository contents as a public comment. No credentials, no exploit code, no inside access required. "The agent's context window is also its attack surface. Any content the agent reads — whether issues, pull requests, comments, or files — can be weaponized if the agent treats that content as instructional input." What actually happened Noma's researchers crafted a GitHub Issue that looked like a plausible VP Sales request — a normal-looking feature ask with hidden instructions embedded in the body. When GitHub's automation assigned the issue, it triggered an Agentic Workflow configured to: Trigger on issues.assigned events Read the issue title and body Post a comment using the add-comment tool Run with read access to other repositories in the organisation — including private ones The hidden instructions told the agent to fetch README.md from repos across the org and post the contents as a comment on the public issue. It did exactly that, including the contents of testlocal — a private repository. The proof-of-concept is live: the workflow run and the issue are public. The guardrail bypass GitHub had defences in place to prevent this. They didn't hold. Noma found that adding the word "Additionally" to the injected instructions caused the model to reframe its output rather than refuse — bypassing the guardrails entirely. A single keyword was enough to undo the intended safety behaviour. This is what makes prompt injection particularly uncomfortable: guardrails tuned against known attack patterns can be bypassed by anyone willing to iterate on the phrasing. The attacker's loop is cheap; the defender's loop is not. The bigger pattern Noma names this explicitly: pr

2026-07-15 原文 →
开源项目

🔥 zhinianboke / xianyu-auto-reply - 闲鱼自动回复管理系统是一个基于 Python + FastAPI 开发的自动化客服系统,专为闲鱼平台设计。系统通过 We

GitHub热门项目 | 闲鱼自动回复管理系统是一个基于 Python + FastAPI 开发的自动化客服系统,专为闲鱼平台设计。系统通过 WebSocket 连接闲鱼服务器,实时接收和处理消息,提供智能化的自动回复服务。同时集成闲鱼自动发货,自动评价,自动擦亮等功能,实现闲鱼虚拟商品自动化流程。 | Stars: 5,759 | 42 stars today | 语言: Python

2026-07-15 原文 →
AI 资讯

My Commit Message Generator Kept Signing Its Own Work. Telling It Not To Wasn't the Fix.

I have a script called git_commit.py in one of my repos. It shells out to claude -p with the staged diff, gets back a Conventional Commit message, and prints it. It's wired into a prepare-commit-msg git hook so every commit gets a pre-filled message for free. Small, dumb, useful. The first version had one instruction in the system prompt: "Output ONLY the commit message — no explanation, no markdown, no quotes." That's it. It worked fine for a while, and then one day a commit landed with a trailing Co-Authored-By: Claude <noreply@anthropic.com> line that I never asked for and definitely didn't want on a personal repo's history. I did the obvious thing first: I made the prompt more specific. SYSTEM = ( " You are a git commit message generator. " " Output ONLY the commit message — one line, no explanation, no markdown, no quotes, " " no co-author lines, no signatures, no AI references. " " Follow Conventional Commits: type(scope): subject. " " Types: feat, fix, docs, style, refactor, test, chore. " " Subject: imperative, lowercase, max 72 chars. " ) This is the same move I see everywhere: the CLAUDE.md file in that same repo has a line that says, in bold, "NEVER add Co-Authored-By: or any Claude/AI reference to commit messages." I've seen the same pattern in a dozen other people's prompt files — a growing list of "never do X" instructions bolted onto a system prompt, each one added reactively after X happened once. It helped. It did not solve it. A model call is a sample from a distribution, not a function with a guaranteed return type. Any single generation can still ignore an instruction — a longer diff, a different day, a subtly different phrasing of the request, and the same "never" line just doesn't fire. I don't actually know the mechanism on any given miss and I don't need to. The point is: a natural-language instruction is advisory. It shifts probability mass, it doesn't clamp it. I ran into an article on dev.to making a point that reframed this for me: the al

2026-07-15 原文 →
AI 资讯

Dependabot learns to wait: version-update PRs now sit for three days by default

Every time your bot merges a two-hour-old release into main, you are trusting a stranger's freshly published tarball to be the same one everyone else is looking at. Sometimes that release is a real bugfix. Sometimes it is a maintainer who fat-fingered a token, or an attacker who did not, and either way your CI cheerfully rebases against it before anyone had a chance to notice. On 2026-07-14, GitHub added a pause. Not a big one. But a real one. The actual change Dependabot version updates now sit on their hands for three days after a package is published. According to the GitHub Changelog, a release has to have been available on its registry for at least that long before Dependabot will open a version-update pull request against your repository. The cooldown is on by default and requires no configuration. It applies across every ecosystem Dependabot supports on github.com, and GitHub Enterprise Server picks it up in GHES 3.23. Security updates are exempt. If a fix for a known vulnerability lands, Dependabot will still open the PR the moment it can, because a three-day delay on the patch defeats the entire point of shipping the patch. That single carve-out is the whole design. Why three days is doing so much work Three days is not enough time to audit a package. Nobody is pretending otherwise. What three days is enough for is someone else to notice. Most malicious releases that end up on a public registry get pulled quickly once security researchers, downstream maintainers, or the registry's own scanners spot the pattern. The typosquats, the hijacked accounts, the crypto miners buried in a postinstall script: they all rely on being pulled into build automation before the pattern is visible. Dependabot's old default was to be that automation. Its new default is to let the pattern show up first. You can read this change as GitHub quietly admitting that "always up to date" was the wrong marketing promise for a supply-chain tool. The knob, and what shifted about it Cooldo

2026-07-15 原文 →