From 5428592f46041dfb7bc479c48c44971ea83cc560 Mon Sep 17 00:00:00 2001 From: Shivam Saini <51438830+shivamsn97@users.noreply.github.com> Date: Fri, 10 Jul 2026 13:28:28 +0530 Subject: [PATCH] chore: add Dependabot and a private disclosure channel to SECURITY.md Add a GitHub private-advisory reporting option alongside the existing security@pyxle.dev email, and weekly Dependabot updates for each package (pip) and github-actions. --- .github/dependabot.yml | 25 +++++++++++++++++++++++++ SECURITY.md | 7 ++++++- 2 files changed, 31 insertions(+), 1 deletion(-) create mode 100644 .github/dependabot.yml diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000..8341645 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,25 @@ +version: 2 +updates: + - package-ecosystem: "pip" + directory: "/packages/pyxle-auth" + schedule: + interval: "weekly" + open-pull-requests-limit: 5 + + - package-ecosystem: "pip" + directory: "/packages/pyxle-db" + schedule: + interval: "weekly" + open-pull-requests-limit: 5 + + - package-ecosystem: "pip" + directory: "/packages/pyxle-mail" + schedule: + interval: "weekly" + open-pull-requests-limit: 5 + + - package-ecosystem: "github-actions" + directory: "/" + schedule: + interval: "weekly" + open-pull-requests-limit: 5 diff --git a/SECURITY.md b/SECURITY.md index baf7b2d..225f2c2 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -14,7 +14,12 @@ Both packages are pre-1.0: we fix forward rather than backporting. **Please do not open a public issue for security reports.** -Email **security@pyxle.dev** with: +Report privately through either channel: + +- **GitHub private advisory (preferred):** [Report a vulnerability](https://github.com/pyxle-dev/pyxle-plugins/security/advisories/new) — this opens a private thread with the maintainers. +- **Email:** **security@pyxle.dev** + +Please include: - The affected package and version. - A description of the issue and its impact.