From 8a933706f11c8886c52cc714cc05afe24dbfccf7 Mon Sep 17 00:00:00 2001 From: huong-li-nguyen Date: Thu, 21 Sep 2023 20:05:23 +0200 Subject: [PATCH 1/5] Add config for dependabot --- .github/dependabot.yml | 13 +++++++++++++ 1 file changed, 13 insertions(+) create mode 100644 .github/dependabot.yml diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 000000000..65736fe73 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,13 @@ +# To get started with Dependabot version updates, you'll need to specify which +# package ecosystems to update and where the package manifests are located. +# Please see the documentation for all configuration options: +# https://docs.github.com/github/administering-a-repository/configuration-options-for-dependency-updates + +version: 2 +updates: + - package-ecosystem: "pip" # See documentation for possible values + directory: "/" # Location of package manifests + schedule: + interval: "weekly" + labels: + - "dependencies" From c011514830a4c4e6b76f0e84e0ed7c1b7ad26e30 Mon Sep 17 00:00:00 2001 From: huong-li-nguyen Date: Thu, 21 Sep 2023 20:15:52 +0200 Subject: [PATCH 2/5] Add changelog --- ...01427_huong_li_nguyen_enable_dependabot.md | 42 +++++++++++++++++++ 1 file changed, 42 insertions(+) create mode 100644 vizro-core/changelog.d/20230921_201427_huong_li_nguyen_enable_dependabot.md diff --git a/vizro-core/changelog.d/20230921_201427_huong_li_nguyen_enable_dependabot.md b/vizro-core/changelog.d/20230921_201427_huong_li_nguyen_enable_dependabot.md new file mode 100644 index 000000000..d57e34cc2 --- /dev/null +++ b/vizro-core/changelog.d/20230921_201427_huong_li_nguyen_enable_dependabot.md @@ -0,0 +1,42 @@ + + + + + + + + From 9bbf37463d5ece1a619afeeb405f4a62f76f9603 Mon Sep 17 00:00:00 2001 From: huong-li-nguyen Date: Thu, 21 Sep 2023 21:17:36 +0200 Subject: [PATCH 3/5] Add SECURITY.md --- SECURITY.md | 31 +++++++++++++++++++++++++++++++ 1 file changed, 31 insertions(+) create mode 100644 SECURITY.md diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 000000000..df14f8c98 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,31 @@ +# Security Policy + +Security is very important for Vizro and its community 🔒 + +If you believe you have found a security vulnerability, please report it to us as described below. + +## Supported Versions + +The latest version of Vizro is supported. We encourage you to update your Vizro version frequently, this way you will benefit from the latest features, bug fixes, and **security fixes**. + + +## Reporting a Vulnerability + +**Please do not report security vulnerabilities through public GitHub issues to limit the potential impact on current users.** + +If you think you found a vulnerability, and even if you are not sure about it, please report it right away by sending an email to: vizro-svc@mckinsey.com + +Please try to be as explicit as possible to help us better understand the nature and scope of the possible issue by providing: +- Type of issue (e.g. cross-site scripting, SQL injection, etc.) +- Impact of the issue, including how an attacker might exploit the issue +- Step-by-step instructions to reproduce the issue +- Example code or any special configuration to reproduce the issue +- Location of the affected source code (e.g. branch/commit/URL) + +We will review it thoroughly and get back to you. If the issue is confirmed, we will release a patch as soon as possible. + +--- + +Thanks for your help! + +The Vizro team thanks you for that 🙇 \ No newline at end of file From 9dcb5f697c25b995832b0926b1d2108dc4c6ff73 Mon Sep 17 00:00:00 2001 From: huong-li-nguyen Date: Thu, 21 Sep 2023 21:21:21 +0200 Subject: [PATCH 4/5] Lint --- SECURITY.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/SECURITY.md b/SECURITY.md index df14f8c98..4cf1fb6dd 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -8,14 +8,14 @@ If you believe you have found a security vulnerability, please report it to us a The latest version of Vizro is supported. We encourage you to update your Vizro version frequently, this way you will benefit from the latest features, bug fixes, and **security fixes**. - ## Reporting a Vulnerability **Please do not report security vulnerabilities through public GitHub issues to limit the potential impact on current users.** -If you think you found a vulnerability, and even if you are not sure about it, please report it right away by sending an email to: vizro-svc@mckinsey.com +If you think you found a vulnerability, and even if you are not sure about it, please report it right away by sending an email to: vizro-svc@mckinsey.com Please try to be as explicit as possible to help us better understand the nature and scope of the possible issue by providing: + - Type of issue (e.g. cross-site scripting, SQL injection, etc.) - Impact of the issue, including how an attacker might exploit the issue - Step-by-step instructions to reproduce the issue @@ -28,4 +28,4 @@ We will review it thoroughly and get back to you. If the issue is confirmed, we Thanks for your help! -The Vizro team thanks you for that 🙇 \ No newline at end of file +The Vizro team thanks you for that 🙇 From d84b5af6ba3898365f7997527e0cc30ffcb5a9e5 Mon Sep 17 00:00:00 2001 From: huong-li-nguyen Date: Thu, 21 Sep 2023 22:07:09 +0200 Subject: [PATCH 5/5] Update dependabot.yml --- .github/dependabot.yml | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 65736fe73..fb1b2107f 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -5,8 +5,14 @@ version: 2 updates: - - package-ecosystem: "pip" # See documentation for possible values - directory: "/" # Location of package manifests + # Github Actions + - package-ecosystem: "github-actions" + directory: "/" + schedule: + interval: "monthly" + # Python + - package-ecosystem: "pip" + directory: "/" schedule: interval: "weekly" labels: