Step
ID: OPS-8.c
Source refinement task: OPS-8 Replace dependabot with a documented supply-chain audit cadence
Directory: docs/operations.md or new docs/security.md, optionally .github/dependabot.yml
Execution tier: deterministic
Why this matters for prod
d6904ba also deleted .github/dependabot.yml. Bookie ships pdf-lib, jszip, sqlx, keyring, aws-sdk-s3, tauri-plugin-sql, and now zip 8 — any CVE in this set lands in user binaries that GoBD wants retained for ten years. Dependabot is free even when CI is disabled (it just files PRs that a human reviews), but the user removed the file alongside CI, which suggests the intent was to stop noise rather than to stop monitoring. Without either bot-driven advisories or a documented manual cadence, the next sha2 0.10→0.11-style bump won't surface until something breaks.
What to do
Add a one-paragraph subsection at the end of CONTRIBUTING.md (under ## Code Style or a new ## Supply-chain advisories heading) telling contributors where supply-chain advisories surface (Dependabot PRs or the quarterly maintainer run). Add a corresponding CHANGELOG line under the 2026-05-14 entry.
Verification
grep -E '(Dependabot|security\.md)' CONTRIBUTING.md returns >=1 line; CHANGELOG 2026-05-14 entry mentions the supply-chain decision.
Dependencies
Depends on: #229 (OPS-8.b).
Audit
- Step ID:
OPS-8.c
- Source task:
OPS-8 (see REFINEMENT.md)
- Generated from
refinement.decomposition.json on 2026-05-14
- Created by: Sandcastle (
production-refinement skill)
Step
ID:
OPS-8.cSource refinement task:
OPS-8Replace dependabot with a documented supply-chain audit cadenceDirectory: docs/operations.md or new docs/security.md, optionally .github/dependabot.yml
Execution tier:
deterministicWhy this matters for prod
d6904baalso deleted.github/dependabot.yml. Bookie shipspdf-lib,jszip,sqlx,keyring,aws-sdk-s3,tauri-plugin-sql, and nowzip 8— any CVE in this set lands in user binaries that GoBD wants retained for ten years. Dependabot is free even when CI is disabled (it just files PRs that a human reviews), but the user removed the file alongside CI, which suggests the intent was to stop noise rather than to stop monitoring. Without either bot-driven advisories or a documented manual cadence, the nextsha2 0.10→0.11-style bump won't surface until something breaks.What to do
Add a one-paragraph subsection at the end of CONTRIBUTING.md (under
## Code Styleor a new## Supply-chain advisoriesheading) telling contributors where supply-chain advisories surface (Dependabot PRs or the quarterly maintainer run). Add a corresponding CHANGELOG line under the 2026-05-14 entry.Verification
grep -E '(Dependabot|security\.md)' CONTRIBUTING.mdreturns >=1 line; CHANGELOG 2026-05-14 entry mentions the supply-chain decision.Dependencies
Depends on: #229 (
OPS-8.b).Audit
OPS-8.cOPS-8(seeREFINEMENT.md)refinement.decomposition.jsonon2026-05-14production-refinementskill)