Skip to content

chore(security): add Dependabot config and SECURITY.md disclosure policy#34

Open
dmchaledev wants to merge 1 commit into
mainfrom
claude/magical-ptolemy-bs2b0a
Open

chore(security): add Dependabot config and SECURITY.md disclosure policy#34
dmchaledev wants to merge 1 commit into
mainfrom
claude/magical-ptolemy-bs2b0a

Conversation

@dmchaledev

Copy link
Copy Markdown
Contributor

Summary

@hailbytes/sbom-diff is a supply-chain security tool, but its own repository ships none of the baseline supply-chain hygiene it exists to help others enforce. There is no automated dependency updating, no way to keep the CI action tags from going stale, and no vulnerability-disclosure policy. This PR closes that gap with two small, self-contained, non-code files.

This is distinct from everything currently in flight — the open PRs/issues all touch src/ logic (purl keying #20/#31, downgrades #24, CVSS #18, licenses #9/#33, hashes #22, XML #27, validation #21, --fail-on #5) or the release pipeline (#26). None add repository security automation or a disclosure policy.

What's added

1. .github/dependabot.yml

  • npm ecosystem, weekly. Minor/patch bumps are grouped into a single PR to cut review noise; majors still arrive individually so breaking changes stay visible.
  • github-actions ecosystem, weekly, all grouped. The workflows currently pin floating major tags (actions/checkout@v4, actions/setup-node@v4); Dependabot surfaces new releases so they don't silently drift.

2. SECURITY.md

A vulnerability-disclosure policy: supported versions, GitHub private vulnerability reporting as the primary channel (with an email fallback), what to include in a report, and response-time commitments. This is a table-stakes artifact that GitHub surfaces in the repo's Security tab and was previously absent.

Why this is high-leverage

  • Dogfoods the project's own mission. A published package keyworded supply-chain-security / vulnerability-management that doesn't patch its own dependencies or offer a disclosure channel undercuts its credibility. This makes the repo practice what the tool preaches.
  • Automated, ongoing value. Dependabot keeps dev/runtime deps and CI actions patched from here on with no further effort.
  • Zero risk to the build. No source, config, or workflow logic changes — CI (lint, typecheck, test, build) is unaffected. All 29 tests still pass locally.

Verification

npm run lint      # ✓
npx tsc --noEmit  # ✓
npm test          # ✓ 29 passed
npm run build     # ✓

dependabot.yml validated as well-formed YAML with both npm and github-actions update entries.

🤖 Generated with Claude Code

https://claude.ai/code/session_01WAqf7xUqozPmTjN1gEE577


Generated by Claude Code

Dogfood the project's own supply chain:

- .github/dependabot.yml: weekly npm and github-actions updates. Minor/patch
  npm bumps and all action updates are grouped to cut review noise while
  majors still arrive individually. This keeps runtime/dev dependencies
  patched and stops the workflow action tags (checkout@v4, setup-node@v4)
  from silently going stale.
- SECURITY.md: a vulnerability-disclosure policy pointing to GitHub private
  vulnerability reporting, with supported-version and response-time
  commitments — a table-stakes artifact that was missing for a published
  security-focused package.

No source or build changes; CI (lint, typecheck, test, build) is unaffected.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants