chore(security): add Dependabot config and SECURITY.md disclosure policy#34
Open
dmchaledev wants to merge 1 commit into
Open
chore(security): add Dependabot config and SECURITY.md disclosure policy#34dmchaledev wants to merge 1 commit into
dmchaledev wants to merge 1 commit into
Conversation
Dogfood the project's own supply chain: - .github/dependabot.yml: weekly npm and github-actions updates. Minor/patch npm bumps and all action updates are grouped to cut review noise while majors still arrive individually. This keeps runtime/dev dependencies patched and stops the workflow action tags (checkout@v4, setup-node@v4) from silently going stale. - SECURITY.md: a vulnerability-disclosure policy pointing to GitHub private vulnerability reporting, with supported-version and response-time commitments — a table-stakes artifact that was missing for a published security-focused package. No source or build changes; CI (lint, typecheck, test, build) is unaffected.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
@hailbytes/sbom-diffis a supply-chain security tool, but its own repository ships none of the baseline supply-chain hygiene it exists to help others enforce. There is no automated dependency updating, no way to keep the CI action tags from going stale, and no vulnerability-disclosure policy. This PR closes that gap with two small, self-contained, non-code files.This is distinct from everything currently in flight — the open PRs/issues all touch
src/logic (purl keying #20/#31, downgrades #24, CVSS #18, licenses #9/#33, hashes #22, XML #27, validation #21,--fail-on#5) or the release pipeline (#26). None add repository security automation or a disclosure policy.What's added
1.
.github/dependabot.ymlactions/checkout@v4,actions/setup-node@v4); Dependabot surfaces new releases so they don't silently drift.2.
SECURITY.mdA vulnerability-disclosure policy: supported versions, GitHub private vulnerability reporting as the primary channel (with an email fallback), what to include in a report, and response-time commitments. This is a table-stakes artifact that GitHub surfaces in the repo's Security tab and was previously absent.
Why this is high-leverage
supply-chain-security/vulnerability-managementthat doesn't patch its own dependencies or offer a disclosure channel undercuts its credibility. This makes the repo practice what the tool preaches.Verification
dependabot.ymlvalidated as well-formed YAML with bothnpmandgithub-actionsupdate entries.🤖 Generated with Claude Code
https://claude.ai/code/session_01WAqf7xUqozPmTjN1gEE577
Generated by Claude Code