Skip to content

Report security vulnerabilities using GitHub#14549

Merged
nicoddemus merged 1 commit into
mainfrom
security-advisory
Jun 4, 2026
Merged

Report security vulnerabilities using GitHub#14549
nicoddemus merged 1 commit into
mainfrom
security-advisory

Conversation

@nicoddemus
Copy link
Copy Markdown
Member

@nicoddemus nicoddemus commented Jun 3, 2026

Direct users to report security vulnerabilities using GitHub's security advisory, which I just enabled in the repository.

@nicoddemus nicoddemus added the skip news used on prs to opt out of the changelog requirement label Jun 3, 2026
Pierre-Sassoulas
Pierre-Sassoulas approved these changes Jun 3, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@Pierre-Sassoulas Pierre-Sassoulas left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍 Did you also switch the tidelift config ? This can have financial consequences.

@nicoddemus nicoddemus changed the title README.rst: report security vulnerabilities using GitHub Report security vulnerabilities using GitHub Jun 4, 2026
@nicoddemus
Copy link
Copy Markdown
Member Author

nicoddemus commented Jun 4, 2026

Did you also switch the tidelift config ? This can have financial consequences.

Good call, there's probably a setting/link in there that should be updated. Shouldn't affect financials though, it was suggested in a email thread by their own support.

@nicoddemus
Copy link
Copy Markdown
Member Author

nicoddemus commented Jun 4, 2026

More context: yesterday Tidelift reached out to me about a report, and one of the ways we could move the report forward was to enable the GitHub feature, which seems like a good idea as is easier for users and directly integrated into our workflow.

@Pierre-Sassoulas
Copy link
Copy Markdown
Member

Pierre-Sassoulas commented Jun 4, 2026

Previously the change would have happened here: https://tidelift.com/lifter/package/pypi/pytest/tasks/packages_have_security_policies (but it seems there's a new policy)

@nicoddemus
Report security vulnerabilities using GitHub
5136a19 
Direct users to report security vulnerabilities using GitHub's security advisory.

This was one of the options suggested by Tidelift's support during an email exchange about a new vulnerability, which seems like a good idea as is easier for users and directly integrated into our workflow.
@nicoddemus nicoddemus force-pushed the security-advisory branch from e446ac3 to 5136a19 Compare June 4, 2026 12:23
@nicoddemus
Copy link
Copy Markdown
Member Author

nicoddemus commented Jun 4, 2026

Thanks for the link! We need a SECURITY.md file in the root too, added. I will update the Tidelift configuration after this lands on main (they need to make sure the SECURITY.md file is reachable from main).

@nicoddemus nicoddemus merged commit fbd736f into main Jun 4, 2026
36 checks passed
@nicoddemus nicoddemus deleted the security-advisory branch June 4, 2026 12:46
@nicoddemus
Copy link
Copy Markdown
Member Author

nicoddemus commented Jun 4, 2026

Tidelift updated:

image

(The key takeaway is Use my own process).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@RonnyPfannschmidt RonnyPfannschmidt RonnyPfannschmidt approved these changes

@Pierre-Sassoulas Pierre-Sassoulas Pierre-Sassoulas approved these changes

Assignees

No one assigned

Labels

skip news used on prs to opt out of the changelog requirement

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@nicoddemus @Pierre-Sassoulas @RonnyPfannschmidt