DevOps Platform Updates
scanned 107d ago7Latest announcements and changes from GitHub, GitLab, Azure DevOps, Bitbucket, and Atlassian.
GitLab Patches 15 Vulnerabilities Including Critical XSS Flaw
GitLab released versions 18.9.2, 18.8.6, and 18.7.6 fixing 15 security issues. The most severe is CVE-2026-1090 (CVSS 8.7), a high-severity XSS in Markdown placeholder processing that allows authenticated JavaScript injection. Three additional high-severity DoS vulnerabilities affect the GraphQL API, repository archive endpoint, and protected branches API.
Azure DevOps Blocks Global PAT Creation Starting March 15
Azure DevOps is retiring Global Personal Access Tokens. As of March 15, 2026, creation and regeneration of global PATs is blocked. All existing global PATs will be fully decommissioned on December 1, 2026. Veeam integrations using Azure DevOps global PATs must migrate to organization-scoped PATs or Entra-based authentication immediately.
GitHub REST API 2026-03-10 Introduces Breaking Changes
GitHub released REST API calendar version 2026-03-10, the first version to include breaking changes. Integrations must update the X-GitHub-Api-Version header and verify compatibility. Any Veeam tools or backup integrations that consume the GitHub REST API should be tested against the new version to ensure continued operation.
GitHub Actions OIDC Tokens Support Repository Custom Properties
GitHub Actions OIDC tokens now include repository custom properties as claims (public preview). Admins can select properties to embed in tokens, prefixed with repo_property_, enabling attribute-based access control (ABAC) in AWS, Azure, and GCP without per-workflow changes. This strengthens keyless authentication governance at scale.
GitHub Secret Scanning Adds 28 New Provider Detectors
GitHub added 28 new secret detectors covering 15 providers including Lark, Vercel, Snowflake, and Supabase. Additionally, 39 detectors now have push protection enabled by default, including Airtable, Databricks, Heroku, PostHog, and Shopify. This expands the scope of secrets that GitHub can automatically block from being committed.
GitHub Pauses Self-Hosted Runner Minimum Version Enforcement
GitHub temporarily paused enforcement of the v2.329.0 minimum self-hosted runner version requirement that was scheduled for March 16, 2026. Runners below v2.329.0 can still register during the pause. An updated timeline will be published in coming weeks, but GitHub still plans to block older versions long-term.
Bitbucket Cloud Workspace Organization Linking Deadline Reached
The March 15, 2026 deadline for linking Bitbucket Cloud workspaces to Atlassian organizations has passed. Starting March 16, Atlassian will auto-create organizations and auto-link eligible paid workspaces that weren't manually linked. This affects billing administration and is a prerequisite for Atlassian's unified identity and AI capabilities.