From 878e33350b6e37b8882cb51bc176a1c4edd6bbbb Mon Sep 17 00:00:00 2001 From: Andrew Brandt Date: Wed, 30 Apr 2025 17:57:40 -0700 Subject: [PATCH 1/3] ci: add dependabot and security files Signed-off-by: Andrew Brandt --- .github/SECURITY.md | 36 ++++++++++++++++++++++++++++++++++++ .github/dependabot.yml | 11 +++++++++++ 2 files changed, 47 insertions(+) create mode 100644 .github/SECURITY.md create mode 100644 .github/dependabot.yml diff --git a/.github/SECURITY.md b/.github/SECURITY.md new file mode 100644 index 0000000..683b446 --- /dev/null +++ b/.github/SECURITY.md @@ -0,0 +1,36 @@ +# Security Policy + +## Reporting a Vulnerability + +We take the security of configure-custom-properties seriously. If you believe you have found a security vulnerability, please report it to us as described below. + +**Please do not report security vulnerabilities through public GitHub issues.** + +Instead, please report them via email to: + +``` +maintainers@pandaswhocode.com +``` + +You should receive a response within 48 hours. If for some reason you do not, please follow up via email to ensure we received your original message. + +Please include the following information in your report: + +- Type of issue (e.g. buffer overflow, SQL injection, cross-site scripting, etc.) +- Full paths of source file(s) related to the manifestation of the issue +- The location of the affected source code (tag/branch/commit or direct URL) +- Any special configuration required to reproduce the issue +- Step-by-step instructions to reproduce the issue +- Proof-of-concept or exploit code (if possible) +- Impact of the issue, including how an attacker might exploit it + +## Preferred Languages + +We prefer all communications to be in English. + +## Policy + +- We will respond to your report within 48 hours with our evaluation and expected resolution time +- If you have followed the instructions above, we will not take legal action against you in regard to your report +- We will keep you informed of the progress towards resolving the issue +- Once the issue is resolved, we will publicly acknowledge your responsible disclosure, if you wish diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000..0d08e26 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,11 @@ +# To get started with Dependabot version updates, you'll need to specify which +# package ecosystems to update and where the package manifests are located. +# Please see the documentation for all configuration options: +# https://docs.github.com/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file + +version: 2 +updates: + - package-ecosystem: "github-actions" # See documentation for possible values + directory: "/" # Location of package manifests + schedule: + interval: "weekly" From 3348acf2f6f5e05c8bbf5741d7fe0f6883a4cb16 Mon Sep 17 00:00:00 2001 From: Andrew Brandt Date: Wed, 30 Apr 2025 18:00:42 -0700 Subject: [PATCH 2/3] update repo name in security Signed-off-by: Andrew Brandt --- .github/SECURITY.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/SECURITY.md b/.github/SECURITY.md index 683b446..c655497 100644 --- a/.github/SECURITY.md +++ b/.github/SECURITY.md @@ -2,7 +2,7 @@ ## Reporting a Vulnerability -We take the security of configure-custom-properties seriously. If you believe you have found a security vulnerability, please report it to us as described below. +We take the security of VersionTwo seriously. If you believe you have found a security vulnerability, please report it to us as described below. **Please do not report security vulnerabilities through public GitHub issues.** From b003cb3813f7c02e644509b8a89bade5498c6106 Mon Sep 17 00:00:00 2001 From: Andrew Brandt Date: Wed, 30 Apr 2025 19:44:28 -0700 Subject: [PATCH 3/3] add pip env as well Signed-off-by: Andrew Brandt --- .github/dependabot.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 0d08e26..4e7559d 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -9,3 +9,7 @@ updates: directory: "/" # Location of package manifests schedule: interval: "weekly" + - package-ecosystem: "pip" # See documentation for possible values + directory: "/" # Location of package manifests + schedule: + interval: "weekly"