Merge pull request #123 from githubtraining/cynthia-edits

Edits based on Cynthia's feedback

Author: brianamarie

README.md

@@ -5,6 +5,6 @@ Collaboration is key to building great software. As you welcome more contributio
 In this course, you’ll learn how to:
 - Enable security features for repositories hosted in GitHub
 - Detect vulnerable dependencies in repositories when notified by GitHub's security alerts
-- Utilize best practices for to keep sensitive data out of repositories
+- Utilize best practices to keep sensitive data out of repositories
 
 This course has a dedicated message board on the [GitHub Community Forum]({{ communityBoard }}). Create a post to start a conversation, discuss this course with GitHub Trainers and participants, or troubleshoot any issues you encounter.

responses/01a_class-introduction-issue.md

@@ -16,6 +16,10 @@ In this course you will learn how to:
 
 For this course, you'll need to be comfortable with the GitHub Flow. If you need a refresher on the GitHub flow, check out the [the Introduction to GitHub course]({{ host}}/courses/introduction-to-github).
 
+## Step 1: Your project on GitHub Pages
+
+This project is centered around a memory game that will be deployed with GitHub Pages.
+
 {% if private %}
 
 ### :keyboard: Activity: Enable vulnerability alerts & GitHub Pages

responses/02_find-vulnerabilities.md

@@ -6,23 +6,25 @@ This repository has some existing dependencies which will need updating to stay
 
 ### How can we identify dependencies and if they are vulnerable?
 
-This repository is a Node.js project utilizing NPM. Because of that, the `package.json` defines this repository's dependencies.  For our time together, we'll be focusing on these JavaScript dependencies. Keep in mind that different programming languages may have different dependency files. You might work with a `Gemfile`, `Gemfile.lock`, `*.gemspec`, `requirements.txt`, or `pipfile.lock` file.
+This repository is a Node.js project utilizing NPM. Because of that, the `package.json` defines this repository's dependencies.  For our time together, we'll be focusing on these JavaScript dependencies. Keep in mind that different programming languages may have different dependency files. You might work with a `Gemfile`, `Gemfile.lock`, `*.gemspec`, `requirements.txt`, `pipfile.lock`, or other files.
 
 How can we know these dependencies are secure? It's not always easy, but GitHub is watching out.
 
 ### GitHub's security alerts for vulnerable dependencies
-GitHub tracks public vulnerabilities in Ruby gems, NPM and Python packages.
+GitHub tracks public vulnerabilities in Ruby gems, NPM, Python, Java, and .Net packages.
 
-GitHub receives a notifications of a newly-announced vulnerability. Then, we check for repositories that use the affected version of that dependency. Then, we send security alerts to a set of people within those affected repositories. The owners are the ones contacted by default. But, it's possible to configure specific teams or individuals to get these important notifications.
+GitHub receives a notification of a newly-announced vulnerability. Next, we check for repositories that use the affected version of that dependency. We send security alerts to a set of people within those affected repositories. The owners are contacted by default. But, it's possible to configure specific teams or individuals to get these important notifications.
 
 **GitHub never publicly discloses identified vulnerabilities for any repository.**
 
-### :keyboard: Activity: Identify the suggested version update
+## Step 2: Find this repository's vulnerable dependencies
+
+Use GitHub's security alerts to identify a vulnerable NPM dependency.
 
-Use GitHub's security alerts to identify a vulnerable NPM dependency. Here's how:
+### :keyboard: Activity: Identify the suggested version update
 
 1. Click the **Insights** tab in your repository
-1. On the left hand navigation bar, click **Dependencies**
+1. On the left hand navigation bar, click **Dependency graph**
 1. Scroll down until you see a yellow bar highlighting the dependency named `debug`, and click on the right hand side of the yellow `debug` section
 1. Take note of the suggested version
 1. Comment in this issue with the suggested update version

responses/03_good-pr.md

@@ -1,3 +1,5 @@
+## Step 3: Merge this pull request
+
 Great job, @{{ user.username }}, your pull request looks good. Thank you for fixing the vulnerable dependency!
 
 _Note: You might notice that this repository has a `package.json` file, but no `package-lock.json` file. We are doing all parts of this activity on GitHub.com. If you work with other repositories, you might notice some differences. Regardless of what dependency files you use, the main concepts of this course still apply._

responses/03_update-dependency.md

@@ -1,10 +1,12 @@
 ## Update the dependency
 
-Now that you know the recommended version, it's time to edit the `package.json` file. You'll upgrade the package to a non-vulnerable version.
+Next, we'll go through the GitHub Flow to make some changes. If you aren't sure how to do this, try the [Introduction to GitHub course](https://lab.github.com/githubtraining/introduction-to-github) and then come back to give it another try.
 
 > _Note: Before doing this with real world code, make sure that the upgraded package works with your code. Good unit tests and CI (continuous integration) will help you update with confidence._
 
-We'll go through the GitHub Flow to make these changes. If you aren't sure how to do this, try the [Introduction to GitHub course](https://lab.github.com/githubtraining/introduction-to-github) and then come back to give it another try.
+## Step 4: Updating dependency versions
+
+Now that you know the recommended version, it's time to edit the `package.json` file. You'll upgrade the package to a non-vulnerable version.
 
 ### :keyboard: Activity: Update the `package.json` file
 

responses/04b_add-gitignore.md

@@ -2,13 +2,15 @@
 
 From time to time, there are files you don't want Git to check in to GitHub. You may want to ignore files that contain sensitive credentials or information which should not be pushed to your repository. There are a few ways to tell Git which files to ignore.
 
-In this pull request, I'm adding a `.gitignore` file.
-
 ### Ignoring files
 
 Git uses a file called `.gitignore` to decide which files and directories to ignore when committing.  Keep files containing sensitive data, like configuration or `env` files, out of your repositories. This is one way to promote security best practices.
 
-Additionally, the `.gitignore` file can, and should, be committed into your repository.  By sharing this file and making it part of your code, it will also help others. Other users that contribute to the repository will also avoid committing sensitive data. There are many examples of `.gitignore` files available for you to use in your own repositories. You can find them in the [gitignore](https://github.com/github/gitignore) repository.
+The `.gitignore` file can, and should, be committed into your repository.  By sharing this file and making it part of your code, it will also help others. Other users that contribute to the repository will also avoid committing sensitive data. There are many examples of `.gitignore` files available for you to use in your own repositories. You can find them in the [gitignore](https://github.com/github/gitignore) repository.
+
+## Step 5: Ignore files
+
+In this pull request, I'm adding a `.gitignore` file. Files ending with `.env` commonly include sensitive data. This helps you keep files with sensitive data secure and private. Let's add those files to the `.gitignore`.
 
 ### :keyboard: Activity: Updating the .gitignore file
 
@@ -17,7 +19,7 @@ Additionally, the `.gitignore` file can, and should, be committed into your repo
 1. Edit the file by adding `.env` to line 1
 1. Scroll down, and commit your change
 
- > _Note: Even after adding a file to the `.gitignore`, the previous commits that have edited that file still exist. After committing sensitive data, first change any tokens or passwords. Then, contact GitHub Support for help correcting your history._
+ > _Note: Even after adding a file to the `.gitignore`, the previous commits that have edited that file still exist. If you accidentally committed sensitive data, first change any tokens or passwords. Then, contact GitHub Support for help correcting your history._
 
 For a printable version of the steps in this course, check out the [Quick Reference Guide]({{ host }}/public/{{ course.slug }}.pdf).
 

responses/05_good-ignore.md

@@ -1,3 +1,5 @@
+## Step 6: Merge this pull request
+
 This looks great @{{ user.username }}, thanks for adding a `.env` file to the `.gitignore`. Feel free to add any other file or potential sensitive data to the `.gitignore` file.
 
 ### :keyboard: Activity: Merge

responses/06b_final-issue.md

@@ -2,23 +2,15 @@
 
 ![celebrate](https://octodex.github.com/images/benevocats.jpg)
 
-Congratulations @{{ user.username }}, you've completed this course! But, a good thing to do now is limit this app's permissions.
+Congratulations @{{ user.username }}, you've completed this course!
 
-When considering the security of your repository, consider the installed applications, like me. But from a security perspective, each of these apps has access to some of your data. Every so often, check the apps and integrations that have access to your repositories. Look for things like active use, or  permissions giving more access than necessary.
+When considering the security of your repository, consider the installed applications, like me. Every app installed on your repository has access to some of your data. Even if it is harmless (like me), it is a good idea to periodically check and prune the list of installed apps and integrations on your repositories. Look for things like active use, or  permissions giving more access than necessary.
 
-As much as it pains me to leave you, I want you to uninstall me on some of your repositories. I won't be able to congratulate you on achieving this task, but know I'm excited about your progress.
+### Manage app permissions
 
+As much as it pains me to leave you, I want you to uninstall me from this repository. I won't be able to congratulate you on achieving this task, but know I'm excited about your progress.
 
-### :keyboard: Activity: Restrict this app
-1. Click on the **Settings** tab in your repository
-1. On the left hand side, click **Integrations & services**
-1. Find **Learning Lab**, and click **Configure**
-1. Enter your password if prompted
-1. Choose the repository access that you'd like to keep
-    - _Note: If you'd like to take more Learning Lab courses in the future, **do not** uninstall Learning Lab. If you uninstall Learning Lab, you'll need to reinstall the app when you try another course. You may also lose some progress._
-1. To make taking Learning Lab courses easier in the future, click **Only select repositories**
-1. Select a repository that you have completed with Learning Lab, like this one
-1. Click **Save**
+Follow the guidelines in [GitHub's documentation](https://help.github.com/articles/reviewing-your-authorized-integrations/#reviewing-your-authorized-github-apps) to review authorized OAuth and GitHub Apps. If you'd like to practice, you can uninstall Learning Lab from this repository.
 
 ### What went well