ARC-Neuron LLMBuilder treats dependency alerts as sponsor-trust issues.
If GitHub reports a dependency vulnerability on the default branch:
- Open the repository Security tab / Dependabot alert.
- Identify the package, affected version, patched version, and dependency path.
- Apply the safe version bump when possible.
- Run public verification:
python scripts/validate_repo.py
python -m pytest tests -q
python scripts/production_verify.py
python scripts/seo_validate.py- Commit the dependency fix with a clear message such as:
Fix Dependabot moderate dependency alert
- If the alert cannot be safely fixed immediately, document the reason in an issue and link the issue from this file.
Supporter, Builder, and Pro Builder sponsorship can proceed while a moderate alert is being triaged, provided the alert is not ignored.
Enterprise / Custom Repository Sponsor positioning should only be described as fully hardened when moderate-or-higher dependency alerts are resolved or explicitly documented with a risk boundary.
gh repo view GareBear99/ARC-Neuron-LLMBuilder --webThen open:
Security → Dependabot alerts
This repo does not hide security status behind marketing language. Sponsor trust depends on public checks, dependency triage, and clear boundaries between open-source infrastructure support and custom delivery agreements.