Thank you for your interest in keeping the Python Linting Action secure. We take security seriously and value the input of the security community.
Because this Action uses a "floating tag" release strategy (e.g., v1 points to the latest release), we generally only provide security updates for the current major version.
| Version | Supported | Notes |
|---|---|---|
| v1.x | ✅ | Current major version (Recommended) |
| < v1.0 | ❌ | No longer supported |
If you discover a security vulnerability within this project, please do not open a public issue. Publicly reporting a vulnerability can put the community at risk before a fix is available.
If you have a GitHub account, please navigate to the Security tab of this repository and look for the "Report a vulnerability" button. This allows you to open a private advisory draft where we can discuss the issue securely.
If private reporting is not enabled or you prefer email, please send a detailed report to: jason.miller@thoughtparameters.com
Please include:
- The type of vulnerability (e.g., Command Injection, Dependency Issue).
- Full steps to reproduce the issue.
- Any relevant proof-of-concept (PoC) code or screenshots.
We are committed to addressing security issues promptly.
- Acknowledgment: We aim to respond to your report within 48 hours.
- Assessment: We will review the report and determine the impact.
- Fix: If the vulnerability is validated, we will prioritize a fix and release a new patch version (e.g.,
v1.0.2).
- Vulnerabilities in the Action's execution logic (e.g., arbitrary code execution via malicious input).
- Supply chain vulnerabilities in the Docker container or dependencies defined in this repository.
- False positives or false negatives generated by the underlying tools (Black, Pylint, MyPy). Please report those to the respective tool maintainers.
- Vulnerabilities requiring physical access to the user's machine.