Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
34 changes: 34 additions & 0 deletions .github/dependabot.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,34 @@
# Dependabot keeps this project's own supply chain patched.
# https://docs.github.com/code-security/dependabot/dependabot-version-updates
version: 2
updates:
# npm dependencies (devDependencies + any runtime deps)
- package-ecosystem: npm
directory: "/"
schedule:
interval: weekly
open-pull-requests-limit: 10
labels:
- dependencies
# Collapse routine minor/patch bumps into a single PR to cut review noise;
# majors still arrive as individual PRs so breaking changes stay visible.
groups:
npm-minor-patch:
update-types:
- minor
- patch

# GitHub Actions used by the CI, auto-tag, and publish workflows.
# These are currently pinned to floating major tags (e.g. actions/checkout@v4);
# Dependabot surfaces new releases so they don't silently drift or go stale.
- package-ecosystem: github-actions
directory: "/"
schedule:
interval: weekly
labels:
- dependencies
- github-actions
groups:
actions-all:
patterns:
- "*"
45 changes: 45 additions & 0 deletions SECURITY.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,45 @@
# Security Policy

`@hailbytes/sbom-diff` is a supply-chain security tool, so we hold its own
supply chain to the same standard. This document explains which versions we
support and how to report a vulnerability.

## Supported Versions

Security fixes are released for the latest published `1.x` version. Please
upgrade to the newest release before reporting an issue.

| Version | Supported |
| ------- | ------------------ |
| 1.x | :white_check_mark: |
| < 1.0 | :x: |

## Reporting a Vulnerability

**Please do not report security vulnerabilities through public GitHub issues,
pull requests, or discussions.**

Instead, use GitHub's private vulnerability reporting:

1. Go to the repository's **Security** tab.
2. Click **Report a vulnerability** (Private vulnerability reporting).
3. Provide as much detail as you can — see below.

If you are unable to use private reporting, email **security@hailbytes.com**
with the details.

### What to include

- A description of the vulnerability and its impact.
- Steps to reproduce (a minimal SBOM input or command line is ideal).
- The affected version(s) and platform.
- Any known workarounds or suggested fixes.

### Our commitment

- We will acknowledge your report within **3 business days**.
- We will provide an assessment and expected timeline within **10 business days**.
- We will keep you informed as we work on a fix and coordinate disclosure.
- With your permission, we will credit you once the fix is released.

Thank you for helping keep `@hailbytes/sbom-diff` and its users secure.
Loading