Github username renaming can easily create vulnerabilites, how do we protect ourself against it?


Github users can change their usernames & often do even though they publish repos used by others.
Github automatically redirect invidual repo link until someone takes over the old username creates a repository with the same name (see
Changing your GitHub username - GitHub Docs)

This is very risky because AFAIK there is no way to detect a username change when we link to a repo (as a bookmark or a dependency in many languages) & it become open to takeover.

Is there any way we can mitigate against this?


For software dependencies you can reference a specific commit by its ID. That way a potential attacker would have to craft an SHA-1 collision with plausible enough content to trick you into using something you don’t mean to (SHA-256 is in the works but still considered experimental). Signing commits or tags is helpful too, if you can get the keys to verify them from a reliable source.

1 Like

Thanks, is there any way to monitor or proove those username changes when they happen?