Merge branch 'main' into dependabot/pip/pip-775dd686c6

7eventy7 · Nov 13, 2024 · e7248d6 · e7248d6
2 parents 95cfdcb + 705c89d
commit e7248d6
Show file tree

Hide file tree

Showing 3 changed files with 91 additions and 4 deletions.
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -0,0 +1,13 @@
+version: 2
+updates:
+  - package-ecosystem: "pip"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    open-pull-requests-limit: 10
+    target-branch: "main"
+    labels:
+      - "dependencies"
+      - "pip"
+    allow:
+      - dependency-type: "direct"
diff --git a/SECURITY.md b/SECURITY.md
@@ -0,0 +1,74 @@
+# Security Policy
+
+## Supported Versions
+
+We maintain security updates for the following versions of Patchy:
+
+| Version | Supported          |
+| ------- | ------------------ |
+| 1.x.x   | :white_check_mark: |
+| < 1.0.0 | :x:                |
+
+## Reporting a Vulnerability
+
+We take security vulnerabilities seriously. If you discover a security issue in Patchy:
+
+1. **DO NOT** disclose the vulnerability publicly
+2. Please report it through our [GitHub Security Advisories](https://github.com/7eventy7/trackly/security/advisories/new)
+
+### What to Include in Your Report
+
+- Detailed description of the vulnerability
+- Steps to reproduce the issue
+- Potential impact of the vulnerability
+- Suggested fixes (if any)
+
+### Response Timeline
+
+- Initial Response: Within 48 hours
+- Status Update: Within 5 business days
+- Resolution Timeline: Based on severity and complexity
+
+## Security Considerations
+
+### Docker Socket Access
+
+Patchy requires access to the Docker socket to function. Please be aware of the following:
+
+1. **Socket Permissions**: 
+   - Only grant socket access if you trust this application
+   - Consider using reduced-privilege alternatives when possible
+
+2. **Container Security**:
+   - Run Patchy with minimal required permissions
+   - Use read-only access where possible
+   - Keep the container updated for security patches
+
+### Best Practices
+
+1. **Stay Updated**:
+   - Use the latest version of Patchy
+   - Enable automatic updates when possible
+   - Watch our release announcements for security updates
+
+2. **Configuration**:
+   - Use secure configuration settings
+   - Limit network exposure
+   - Follow the principle of least privilege
+
+## Security Features
+
+We've implemented the following security measures:
+- Read-only Docker socket access
+- No permanent data storage
+- Regular security updates
+- Minimal base image
+- Automated vulnerability scanning
+
+## Attribution
+
+We'd like to credit security researchers who report valid vulnerabilities in our security advisories. If you wish to remain anonymous, please indicate this in your report.
+
+---
+
+This security policy is subject to change without notice. Please check back regularly for updates.
diff --git a/requirements.txt b/requirements.txt
@@ -1,4 +1,4 @@
-python-dotenv==1.0.0
-requests==2.32.2
-typing-extensions==4.9.0
-croniter==2.0.1
+python-dotenv==1.0.1
+requests==2.32.3
+typing-extensions==4.12.2
+croniter==5.0.1