github · docs-bot · Nov 11, 2025 · Nov 11, 2025 · Nov 11, 2025 · Nov 11, 2025
diff --git a/content/copilot/how-tos/administer-copilot/configure-mcp-server-access.md b/content/copilot/how-tos/administer-copilot/configure-mcp-server-access.md
@@ -86,7 +86,7 @@ When an enterprise lets child organizations configure their own MCP policies, ea
 | Eclipse | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} |
 | JetBrains | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} |
 | {% data variables.product.prodname_vs %} | {% octicon "x" aria-label="Not supported" %} | {% octicon "x" aria-label="Not supported" %} |
-| {% data variables.product.prodname_vscode_shortname %} | {% octicon "check" aria-label="Supported" %} | {% octicon "x" aria-label="Not supported" %} |
+| {% data variables.product.prodname_vscode_shortname %} | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} |
 | {% data variables.product.prodname_vscode_shortname %} Insiders | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} |
 | Xcode | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} |
 

diff --git a/...rating-repositories-from-github-enterprise-server-to-github-enterprise-cloud.md b/...rating-repositories-from-github-enterprise-server-to-github-enterprise-cloud.md
@@ -512,9 +512,11 @@ gh gei generate-script --github-source-org SOURCE \
 
 | Argument | Description |
 | -------- | ----------- |
-| `--target-api-url TARGET-API-URL` | {% data reusables.enterprise-migration-tool.add-target-api-url %} |
-| `--no-ssl-verify` | {% data reusables.enterprise-migration-tool.ssl-flag %} |
 | `--download-migration-logs` | Download the migration log for each migrated repository. For more information about migration logs, see [AUTOTITLE](/migrations/using-github-enterprise-importer/completing-your-migration-with-github-enterprise-importer/accessing-your-migration-logs-for-github-enterprise-importer#downloading-all-migration-logs-for-an-organization). |
+| `--lock-source-repo` | Lock the source repository when migrating. **Warning:** Locking a source repository prevents further changes and may disrupt workflows. It is recommended to only use this option if you are certain it is appropriate. For more information, see [AUTOTITLE](/migrations/overview/about-locked-repositories). |
+| `--no-ssl-verify` | {% data reusables.enterprise-migration-tool.ssl-flag %} |
+| `--skip-releases` | {% data reusables.enterprise-migration-tool.skip-releases %} |
+| `--target-api-url TARGET-API-URL` | {% data reusables.enterprise-migration-tool.add-target-api-url %} |
 | `--use-github-storage`| Perform a repository migration using {% data variables.product.prodname_ghos %} as the intermediate blob storage solution. |
 
 ### Reviewing the migration script
@@ -588,9 +590,10 @@ gh gei migrate-repo --github-source-org SOURCE --source-repo CURRENT-NAME --gith
 
 | Argument | Description |
 | -------- | ----------- |
-| `--target-api-url TARGET-API-URL` | {% data reusables.enterprise-migration-tool.add-target-api-url %} |
+| `--lock-source-repo` | Lock the source repository when migrating. For more information, see [AUTOTITLE](/migrations/overview/about-locked-repositories). |
 | `--no-ssl-verify` | {% data reusables.enterprise-migration-tool.ssl-flag %} |
 | `--skip-releases` | {% data reusables.enterprise-migration-tool.skip-releases %} |
+| `--target-api-url TARGET-API-URL` | {% data reusables.enterprise-migration-tool.add-target-api-url %} |
 | `--target-repo-visibility TARGET-VISIBILITY` | {% data reusables.enterprise-migration-tool.set-repository-visibility %} |
 | `--use-github-storage`| Perform a repository migration using {% data variables.product.prodname_ghos %} as the intermediate blob storage solution. |
 

@@ -11,7 +11,7 @@ sections:
     - |
       After enabling GitHub Actions or performing an upgrade with GitHub Actions enabled, administrators experienced a delay of approximately 10 minutes longer than they should have due to a faulty connection check. This is fixed for future enablement and upgrades.
     - |
-      After upgrading to GHES 3.14.16, GHES 3.15.11, GHES 3.16.7, or GHES 3.17.4, administrators found that draft pull requests for private repositories were no longer available.
+      After upgrading to GHES 3.14.16, GHES 3.15.11, GHES 3.16.7, or GHES 3.17.4, administrators found that draft pull requests and autolink references for private repositories were no longer available. [Updated: 2025-11-11]
   changes:
     - |
       When administrators run the `ghe-support-bundle` command on an unconfigured node, the output clearly states that metadata collection was skipped, instead of producing misleading `curl` errors. This improves the clarity of support bundle diagnostics.

@@ -1,10 +1,8 @@
-date: '2025-10-29'
+date: '2025-11-10'
 sections:
   security_fixes:
     - |
       **CRITICAL:** Redis has been upgraded to version 6.2.20 to address CVE-2025-49844 (also known as RediShell). Administrators should apply this update promptly to mitigate potential security risks.
-    - |
-      **HIGH:** A privilege escalation vulnerability in GitHub Enterprise Server allowed an authenticated enterprise admin to gain root SSH access. The exploit used a symlink escape in pre-receive hook environments. An attacker could craft a malicious repository and environment to replace system binaries during hook cleanup. This allowed them to execute a payload that added their SSH key to the root user's authorized keys, granting root SSH access. The attacker needed enterprise admin privileges to exploit this vulnerability. This has been assigned CVE-2025-11578 and was reported through the GitHub Bug Bounty program.
     - |
       **HIGH:** An attacker could execute arbitrary code in the context of other users' browsers by supplying a malicious `label:` value that was injected into the DOM without proper sanitization. This could be triggered when a user visits a crafted Issues search URL, enabling session hijacking, account takeover, and recovery code exfiltration. GitHub has requested CVE ID [CVE-2025-11892](https://www.cve.org/cverecord?id=CVE-2025-11892) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com/).
     - |

@@ -27,7 +27,7 @@ sections:
     - |
       Site administrators observed that uploading a license failed to restart GitHub services after upgrading GitHub Enterprise Server due to file permission issues in `/var/log/license-upgrade`.
     - |
-      After upgrading to GHES 3.15.11, GHES 3.16.7, or GHES 3.17.4, administrators found that draft pull requests for private repositories were no longer available.
+      After upgrading to GHES 3.15.11, GHES 3.16.7, or GHES 3.17.4, administrators found that draft pull requests and autolink references for private repositories were no longer available. [Updated: 2025-11-11]
   changes:
     - |
       When administrators run the `ghe-support-bundle` command on an unconfigured node, the output clearly states that metadata collection was skipped, instead of producing misleading `curl` errors. This improves the clarity of support bundle diagnostics.

@@ -1,10 +1,8 @@
-date: '2025-10-29'
+date: '2025-11-10'
 sections:
   security_fixes:
     - |
       **CRITICAL:** Redis has been upgraded to version 6.2.20 to address CVE-2025-49844 (also known as RediShell). Administrators should apply this update promptly to mitigate potential security risks.
-    - |
-      **HIGH:** A privilege escalation vulnerability in GitHub Enterprise Server allowed an authenticated enterprise admin to gain root SSH access. The exploit used a symlink escape in pre-receive hook environments. An attacker could craft a malicious repository and environment to replace system binaries during hook cleanup. This allowed them to execute a payload that added their SSH key to the root user's authorized keys, granting root SSH access. The attacker needed enterprise admin privileges to exploit this vulnerability. This has been assigned CVE-2025-11578 and was reported through the GitHub Bug Bounty program.
     - |
       **HIGH:** An attacker could execute arbitrary code in the context of other users' browsers by supplying a malicious `label:` value that was injected into the DOM without proper sanitization. This could be triggered when a user visits a crafted Issues search URL, enabling session hijacking, account takeover, and recovery code exfiltration. GitHub has requested CVE ID [CVE-2025-11892](https://www.cve.org/cverecord?id=CVE-2025-11892) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com/).
     - |

@@ -1,10 +1,8 @@
-date: '2025-10-29'
+date: '2025-11-10'
 sections:
   security_fixes:
     - |
       **CRITICAL:** Redis has been upgraded to version 6.2.20 to address CVE-2025-49844 (also known as RediShell). Administrators should apply this update promptly to mitigate potential security risks.
-    - |
-      **HIGH:** A privilege escalation vulnerability in GitHub Enterprise Server allowed an authenticated enterprise admin to gain root SSH access. The exploit used a symlink escape in pre-receive hook environments. An attacker could craft a malicious repository and environment to replace system binaries during hook cleanup. This allowed them to execute a payload that added their SSH key to the root user's authorized keys, granting root SSH access. The attacker needed enterprise admin privileges to exploit this vulnerability. This has been assigned CVE-2025-11578 and was reported through the GitHub Bug Bounty program.
     - |
       **HIGH:** An attacker could execute arbitrary code in the context of other users' browsers by supplying a malicious `label:` value that was injected into the DOM without proper sanitization. This could be triggered when a user visits a crafted Issues search URL, enabling session hijacking, account takeover, and recovery code exfiltration. GitHub has requested CVE ID [CVE-2025-11892](https://www.cve.org/cverecord?id=CVE-2025-11892) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com/).
     - |

@@ -27,7 +27,7 @@ sections:
     - |
       Administrators debugging Elasticsearch index repairs previously did not see a "starting" log entry before a repair began, making it harder to track repair initiation in logs.
     - |
-      After upgrading to GHES 3.16.7, or GHES 3.17.4, administrators found that draft pull requests for private repositories were no longer available.
+      After upgrading to GHES 3.16.7, or GHES 3.17.4, administrators found that draft pull requests and autolink references for private repositories were no longer available. [Updated: 2025-11-11]
     - |
       Site administrators experienced crashes in MySQL when running data backfills, such as during database maintenance or upgrades.
   changes:

@@ -35,7 +35,7 @@ sections:
     - |
       Audit log entries for some Dependabot-related events were missing for administrators and security teams due to an outdated allowlist configuration.
     - |
-      After upgrading to GHES 3.17.4, administrators found that draft pull requests for private repositories were no longer available.
+      After upgrading to GHES 3.17.4, administrators found that draft pull requests and autolink references for private repositories were no longer available. [Updated: 2025-11-11]
     - |
       Site administrators experienced crashes in MySQL when running data backfills, such as during database maintenance or upgrades.
   changes:

@@ -1,10 +1,8 @@
-date: '2025-10-29'
+date: '2025-11-10'
 sections:
   security_fixes:
     - |
       **CRITICAL:** Redis has been upgraded to version 6.2.20 to address CVE-2025-49844 (also known as RediShell). Administrators should apply this update promptly to mitigate potential security risks.
-    - |
-      **HIGH:** A privilege escalation vulnerability in GitHub Enterprise Server allowed an authenticated enterprise admin to gain root SSH access. The exploit used a symlink escape in pre-receive hook environments. An attacker could craft a malicious repository and environment to replace system binaries during hook cleanup. This allowed them to execute a payload that added their SSH key to the root user's authorized keys, granting root SSH access. The attacker needed enterprise admin privileges to exploit this vulnerability. This has been assigned CVE-2025-11578 and was reported through the GitHub Bug Bounty program.
     - |
       **HIGH:** An attacker could execute arbitrary code in the context of other users' browsers by supplying a malicious `label:` value that was injected into the DOM without proper sanitization. This could be triggered when a user visits a crafted Issues search URL, enabling session hijacking, account takeover, and recovery code exfiltration. GitHub has requested CVE ID [CVE-2025-11892](https://www.cve.org/cverecord?id=CVE-2025-11892) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com/).
     - |

@@ -1,10 +1,8 @@
-date: '2025-10-29'
+date: '2025-11-10'
 sections:
   security_fixes:
     - |
       **CRITICAL:** Redis has been upgraded to version 6.2.20 to address CVE-2025-49844 (also known as RediShell). Administrators should apply this update promptly to mitigate potential security risks.
-    - |
-      **HIGH:** A privilege escalation vulnerability in GitHub Enterprise Server allowed an authenticated enterprise admin to gain root SSH access. The exploit used a symlink escape in pre-receive hook environments. An attacker could craft a malicious repository and environment to replace system binaries during hook cleanup. This allowed them to execute a payload that added their SSH key to the root user's authorized keys, granting root SSH access. The attacker needed enterprise admin privileges to exploit this vulnerability. This has been assigned CVE-2025-11578 and was reported through the GitHub Bug Bounty program.
     - |
       **HIGH:** An attacker could execute arbitrary code in the context of other users' browsers by supplying a malicious `label:` value that was injected into the DOM without proper sanitization. This could be triggered when a user visits a crafted Issues search URL, enabling session hijacking, account takeover, and recovery code exfiltration. GitHub has requested CVE ID [CVE-2025-11892](https://www.cve.org/cverecord?id=CVE-2025-11892) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com/).
     - |