diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000..8341645 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,25 @@ +version: 2 +updates: + - package-ecosystem: "pip" + directory: "/packages/pyxle-auth" + schedule: + interval: "weekly" + open-pull-requests-limit: 5 + + - package-ecosystem: "pip" + directory: "/packages/pyxle-db" + schedule: + interval: "weekly" + open-pull-requests-limit: 5 + + - package-ecosystem: "pip" + directory: "/packages/pyxle-mail" + schedule: + interval: "weekly" + open-pull-requests-limit: 5 + + - package-ecosystem: "github-actions" + directory: "/" + schedule: + interval: "weekly" + open-pull-requests-limit: 5 diff --git a/SECURITY.md b/SECURITY.md index baf7b2d..225f2c2 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -14,7 +14,12 @@ Both packages are pre-1.0: we fix forward rather than backporting. **Please do not open a public issue for security reports.** -Email **security@pyxle.dev** with: +Report privately through either channel: + +- **GitHub private advisory (preferred):** [Report a vulnerability](https://github.com/pyxle-dev/pyxle-plugins/security/advisories/new) — this opens a private thread with the maintainers. +- **Email:** **security@pyxle.dev** + +Please include: - The affected package and version. - A description of the issue and its impact.