From f6d3342ad5ed32b3632f736acdbcb02f5f702662 Mon Sep 17 00:00:00 2001 From: Claude Date: Sat, 4 Jul 2026 03:08:47 +0000 Subject: [PATCH] chore(security): add Dependabot config and SECURITY.md disclosure policy MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Dogfood the project's own supply chain: - .github/dependabot.yml: weekly npm and github-actions updates. Minor/patch npm bumps and all action updates are grouped to cut review noise while majors still arrive individually. This keeps runtime/dev dependencies patched and stops the workflow action tags (checkout@v4, setup-node@v4) from silently going stale. - SECURITY.md: a vulnerability-disclosure policy pointing to GitHub private vulnerability reporting, with supported-version and response-time commitments — a table-stakes artifact that was missing for a published security-focused package. No source or build changes; CI (lint, typecheck, test, build) is unaffected. --- .github/dependabot.yml | 34 +++++++++++++++++++++++++++++++ SECURITY.md | 45 ++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 79 insertions(+) create mode 100644 .github/dependabot.yml create mode 100644 SECURITY.md diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000..f4a3784 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,34 @@ +# Dependabot keeps this project's own supply chain patched. +# https://docs.github.com/code-security/dependabot/dependabot-version-updates +version: 2 +updates: + # npm dependencies (devDependencies + any runtime deps) + - package-ecosystem: npm + directory: "/" + schedule: + interval: weekly + open-pull-requests-limit: 10 + labels: + - dependencies + # Collapse routine minor/patch bumps into a single PR to cut review noise; + # majors still arrive as individual PRs so breaking changes stay visible. + groups: + npm-minor-patch: + update-types: + - minor + - patch + + # GitHub Actions used by the CI, auto-tag, and publish workflows. + # These are currently pinned to floating major tags (e.g. actions/checkout@v4); + # Dependabot surfaces new releases so they don't silently drift or go stale. + - package-ecosystem: github-actions + directory: "/" + schedule: + interval: weekly + labels: + - dependencies + - github-actions + groups: + actions-all: + patterns: + - "*" diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 0000000..62d6b4b --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,45 @@ +# Security Policy + +`@hailbytes/sbom-diff` is a supply-chain security tool, so we hold its own +supply chain to the same standard. This document explains which versions we +support and how to report a vulnerability. + +## Supported Versions + +Security fixes are released for the latest published `1.x` version. Please +upgrade to the newest release before reporting an issue. + +| Version | Supported | +| ------- | ------------------ | +| 1.x | :white_check_mark: | +| < 1.0 | :x: | + +## Reporting a Vulnerability + +**Please do not report security vulnerabilities through public GitHub issues, +pull requests, or discussions.** + +Instead, use GitHub's private vulnerability reporting: + +1. Go to the repository's **Security** tab. +2. Click **Report a vulnerability** (Private vulnerability reporting). +3. Provide as much detail as you can — see below. + +If you are unable to use private reporting, email **security@hailbytes.com** +with the details. + +### What to include + +- A description of the vulnerability and its impact. +- Steps to reproduce (a minimal SBOM input or command line is ideal). +- The affected version(s) and platform. +- Any known workarounds or suggested fixes. + +### Our commitment + +- We will acknowledge your report within **3 business days**. +- We will provide an assessment and expected timeline within **10 business days**. +- We will keep you informed as we work on a fix and coordinate disclosure. +- With your permission, we will credit you once the fix is released. + +Thank you for helping keep `@hailbytes/sbom-diff` and its users secure.