You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Standard GitHub repository hygiene files are missing:
.github/dependabot.yml — no automated dependency updates. The repo depends on golang.org/x/tools v0.7.0 from 2023; without Dependabot, security-relevant bumps to that and to GitHub Actions in workflows go unflagged.
CONTRIBUTING.md — no documented PR workflow, label conventions (release:, priority:), or test/lint expectations. New contributors will not know that release:* labels are mandatory or that -race is required.
CODEOWNERS — no automatic review assignment; not strictly needed on a one-maintainer repo but useful for reproducibility.
Impact (Maintainer: Low)
Reactive, not blocking. But the cost is one-time setup.
Suggested Fix
Add .github/dependabot.yml with package-ecosystem: gomod (daily) and package-ecosystem: github-actions (weekly).
Add SECURITY.md with reporting instructions (private disclosure preferred — link to GitHub's "Report a vulnerability" if Private Reporting is enabled on the repo).
Add CONTRIBUTING.md covering: branch naming, commit-message style, the mandatory release:* label, the priority:* rubric, and go test -race ./... as the local test command.
Add .github/CODEOWNERS with * @dolph (or leave for later).
Summary
Standard GitHub repository hygiene files are missing:
.github/dependabot.yml— no automated dependency updates. The repo depends ongolang.org/x/tools v0.7.0from 2023; without Dependabot, security-relevant bumps to that and to GitHub Actions in workflows go unflagged.SECURITY.md— no documented coordinated-disclosure channel. Issues Symlink traversal can rewrite/rename arbitrary files outside the working directory #2 and Predictable temp-file names enable a symlink/race attack on file rewrites #3 (currentlypriority: criticalwith security implications) demonstrate that researchers have things to report. Without SECURITY.md, the next finder of a similar bug has to file a public issue.CONTRIBUTING.md— no documented PR workflow, label conventions (release:, priority:), or test/lint expectations. New contributors will not know thatrelease:*labels are mandatory or that-raceis required.CODEOWNERS— no automatic review assignment; not strictly needed on a one-maintainer repo but useful for reproducibility.Impact (Maintainer: Low)
Suggested Fix
.github/dependabot.ymlwithpackage-ecosystem: gomod(daily) andpackage-ecosystem: github-actions(weekly).SECURITY.mdwith reporting instructions (private disclosure preferred — link to GitHub's "Report a vulnerability" if Private Reporting is enabled on the repo).CONTRIBUTING.mdcovering: branch naming, commit-message style, the mandatoryrelease:*label, thepriority:*rubric, andgo test -race ./...as the local test command..github/CODEOWNERSwith* @dolph(or leave for later).Files
.github/dependabot.yml(new)SECURITY.md(new)CONTRIBUTING.md(new).github/CODEOWNERS(new, optional)