- Does this need my GitHub password?
- No. It uses GitHub's OAuth sign-in. GitHub does not offer a narrower scope for starring, so it requests the "public_repo" scope (access to public repositories) solely to star repos.
- Is anything about my account stored?
- The access token sits in your session for the length of your visit and is never written to a database. Disconnect clears it and revokes the authorization on GitHub's side.
- What if a dependency can't be resolved?
- Some packages point at a non-GitHub host, a monorepo without a matching repository field, or nothing at all. Those are listed but can't be selected.
- Can I star a private repo this way?
- Only public repos. The requested scope deliberately doesn't extend to private repositories.