You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
docs(security): record the repo-level security settings
Enabled on the repository (Settings -> Code security), alongside the
secret-scanning work in this PR:
- Dependabot alerts + automated security updates. pip-audit only fails a
PR whose deps already carry a CVE; a CVE disclosed after merge went
unnoticed until someone looked. Security updates are the repo setting,
not dependabot.yml -- that file schedules weekly *version* updates.
These are server-side settings, invisible in any diff, so they can be
switched off without review. SECURITY.md is now the record that they are
meant to be on, with the gh command to verify.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
0 commit comments