1.2 KiB
Accessing the /repositories/{id} API with a public-only access token did not restrict read access to only public repositories, which is now prevented.
Accessing the /repos/{owner}/{repo}/issues/{index}/dependencies and /repos/{owner}/{repo}/issues/{index}/blocks APIs with a public-only access token had access to modification operations against private repositories in the form component of the API (not the URL component), which is now prevented.
Accessing the /repos/{owner}/{repo}/issues/{index}/dependencies and /repos/{owner}/{repo}/issues/{index}/blocks APIs with a public-only access token could view dependencies or blocking issues from private repositories, which is now prevented.
Accessing the /repos/{owner}/{repo}/issues/{index}/timeline API with a public-only access token could view comment cross-references from private repositories, which is now prevented.
Accessing the /teams/{id}/repos/{org}/{repo} API with a public-only access token could view private repositories assigned to a team, which is now prevented.
Access the watched repos and starred repos of a your own user through /user/subscriptions and /user/starred APIs with a public-only access token could view private repositories, which is now prevented.