https://www.olafalders.com/categories/security/Recent content in security on olafalders.comHugo -- gohugo.ioen© 2026 Olaf AldersTue, 26 May 2026 00:00:00 +0000https://www.olafalders.com/2026/05/26/Enable-Private-Vulnerability-Reporting/Tue, 26 May 2026 00:00:00 +0000https://www.olafalders.com/2026/05/26/Enable-Private-Vulnerability-Reporting/Bulk-enable private vulnerability reporting across your GitHub repos with a short shell script.<p>With the rise of LLM usage, the number of vulnerabilities being found in Open Source Software libraries is climbing &ndash; perhaps more than you might think. Finding vulnerabilities is getting easier, but reporting them to maintainers can be a bottleneck. One way to help streamline the process is by enabling <a href="https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing-information-about-vulnerabilities/privately-reporting-a-security-vulnerability" target="_blank">&ldquo;Private vulnerability reporting&rdquo;</a> on your GitHub repositories. This gives reporters a private, official channel to reach out to you with details about exploits (both confirmed and unconfirmed).</p> <!-- markdownlint-disable MD003 MD033 MD046 --> <p><a href="https://www.olafalders.com/2026/05/26/Enable-Private-Vulnerability-Reporting/featured.jpeg" ><figure><img class="my-0 rounded-md" loading="lazy" decoding="async" fetchpriority="auto" alt="featured" width="1024" height="768" src="https://www.olafalders.com/2026/05/26/Enable-Private-Vulnerability-Reporting/featured_hu_438162ae6a5006b3.jpeg" srcset="https://www.olafalders.com/2026/05/26/Enable-Private-Vulnerability-Reporting/featured_hu_438162ae6a5006b3.jpeg 800w, https://www.olafalders.com/2026/05/26/Enable-Private-Vulnerability-Reporting/featured.jpeg 1280w" sizes="(min-width: 768px) 50vw, 65vw" data-zoom-src="https://www.olafalders.com/2026/05/26/Enable-Private-Vulnerability-Reporting/featured.jpeg"></figure> </a></p> <!-- markdownlint-disable-line --><p class="attribution">"<a target="_blank" rel="noopener noreferrer" href="https://www.flickr.com/photos/98846724@N04/36027859174/">Crayons</a>" by <a target="_blank" rel="noopener noreferrer" href="https://www.flickr.com/photos/98846724@N04/">echilds41</a> is licensed under <a target="_blank" rel="noopener noreferrer" href="https://creativecommons.org/licenses/by/2.0/?ref=openverse">CC BY 2.0 <img src="https://mirrors.creativecommons.org/presskit/icons/cc.svg" style="height: 1em; margin-right: 0.125em; display: inline;" /><img src="https://mirrors.creativecommons.org/presskit/icons/by.svg" style="height: 1em; margin-right: 0.125em; display: inline;" /></a>.</p> <p>You might think &ldquo;just email me &ndash; I&rsquo;m not hard to find&rdquo;, but you&rsquo;d be surprised how often nailing down the right email and the right contact person is a source of friction. If you&rsquo;re able to toggle this switch, you are opening up a pathway for reporters to let you know about a possible <a href="https://www.cve.org/About/Overview" target="_blank">CVE</a> so that they can either help you remedy the situation or move on to the next CVE on their list.</p> <p>If you have GitHub&rsquo;s <a href="https://cli.github.com/" target="_blank">&ldquo;gh&rdquo; tool</a> installed, this is trivial to do:</p> <div class="highlight-wrapper"><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="cp">#!/usr/bin/env bash </span></span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="nb">set</span> -eu -o pipefail </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Enable &#34;Private vulnerability reporting&#34; for all repos you have admin access to.</span> </span></span><span class="line"><span class="cl"><span class="c1"># Optionally pass an org name to target that org&#39;s repos instead of your own.</span> </span></span><span class="line"><span class="cl"><span class="c1">#</span> </span></span><span class="line"><span class="cl"><span class="c1"># Filters applied to `gh repo list`:</span> </span></span><span class="line"><span class="cl"><span class="c1"># --no-archived skip archived repos (can&#39;t change settings on them)</span> </span></span><span class="line"><span class="cl"><span class="c1"># --visibility public skip private and internal repos</span> </span></span><span class="line"><span class="cl"><span class="c1"># --source skip forks (PVR is configured on the upstream)</span> </span></span><span class="line"><span class="cl"><span class="c1"># --limit 1000 cap result set; raise if you have more repos</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="nv">owner</span><span class="o">=</span><span class="si">${</span><span class="nv">1</span><span class="k">:-</span><span class="si">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">gh repo list <span class="si">${</span><span class="nv">owner</span><span class="p">:+</span><span class="s2">&#34;</span><span class="nv">$owner</span><span class="s2">&#34;</span><span class="si">}</span> --limit <span class="m">1000</span> --no-archived --visibility public --source --json nameWithOwner --jq <span class="s1">&#39;.[].nameWithOwner&#39;</span> <span class="p">|</span> <span class="se">\ </span></span></span><span class="line"><span class="cl"> <span class="k">while</span> <span class="nv">IFS</span><span class="o">=</span> <span class="nb">read</span> -r repo<span class="p">;</span> <span class="k">do</span> </span></span><span class="line"><span class="cl"> <span class="nb">echo</span> <span class="s2">&#34;Enabling private vulnerability reporting: </span><span class="nv">$repo</span><span class="s2">&#34;</span> </span></span><span class="line"><span class="cl"> gh api <span class="s2">&#34;repos/</span><span class="nv">$repo</span><span class="s2">/private-vulnerability-reporting&#34;</span> -X PUT --silent <span class="se">\ </span></span></span><span class="line"><span class="cl"> <span class="o">||</span> <span class="nb">echo</span> <span class="s2">&#34; failed: </span><span class="nv">$repo</span><span class="s2">&#34;</span> </span></span><span class="line"><span class="cl"> <span class="k">done</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="nb">echo</span> <span class="s2">&#34;Done.&#34;</span></span></span></code></pre></div></div> <p>Run it with no arguments to target your own repos, or pass an org name to target an org you administer:</p> <div class="highlight-wrapper"><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">./enable-pvr.sh <span class="c1"># your repos</span> </span></span><span class="line"><span class="cl">./enable-pvr.sh some-org <span class="c1"># repos in some-org</span></span></span></code></pre></div></div> <p>Thanks for helping to make the OSS landscape a better place, but be warned: this could take up to three minutes of your time!</p> <p><a href="https://www.olafalders.com/2026/05/26/Enable-Private-Vulnerability-Reporting/">Read on website</a></p>https://www.olafalders.com/2026/05/19/On-Cooldowns-and-Dependabot-Tuning/Tue, 19 May 2026 00:00:00 +0000https://www.olafalders.com/2026/05/19/On-Cooldowns-and-Dependabot-Tuning/Dependabot's defaults can make it look like an agent of chaos. Cooldowns, dependency groups, and a Claude skill turn down the churn from 11.<!-- markdownlint-disable MD003 MD033 MD046 --> <p><a href="https://www.olafalders.com/2026/05/19/On-Cooldowns-and-Dependabot-Tuning/featured.jpeg" ><figure><img class="my-0 rounded-md" loading="lazy" decoding="async" fetchpriority="auto" alt="featured" width="2048" height="1152" src="https://www.olafalders.com/2026/05/19/On-Cooldowns-and-Dependabot-Tuning/featured_hu_9a2ec17ba15737ab.jpeg" srcset="https://www.olafalders.com/2026/05/19/On-Cooldowns-and-Dependabot-Tuning/featured_hu_9a2ec17ba15737ab.jpeg 800w, https://www.olafalders.com/2026/05/19/On-Cooldowns-and-Dependabot-Tuning/featured_hu_fd46ea94c5019e09.jpeg 1280w" sizes="(min-width: 768px) 50vw, 65vw" data-zoom-src="https://www.olafalders.com/2026/05/19/On-Cooldowns-and-Dependabot-Tuning/featured.jpeg"></figure> </a></p> <!-- markdownlint-disable-line --><p class="attribution">"Iceberg" by longhorndave is licensed under <a rel="noopener noreferrer" href="https://creativecommons.org/licenses/by/2.0/?ref=openverse">CC BY 2.0 <img src="https://mirrors.creativecommons.org/presskit/icons/cc.svg" style="height: 1em; margin-right: 0.125em; display: inline;" /><img src="https://mirrors.creativecommons.org/presskit/icons/by.svg" style="height: 1em; margin-right: 0.125em; display: inline;" /></a>.</p> <p>Dependabot&rsquo;s defaults can make it look like an agent of chaos. There are a couple of things you can do to turn down the churn from 11.</p> <ol> <li><a href="https://nesbitt.io/2026/03/04/package-managers-need-to-cool-down.html" target="_blank">package manager cooldowns</a></li> <li><a href="https://docs.github.com/en/code-security/tutorials/secure-your-dependencies/optimizing-pr-creation-version-updates#grouping-related-dependencies-together" target="_blank">Dependabot groups</a></li> <li><a href="https://github.com/oalders/kitchen-sink/blob/bba1217882b1570d081623190784404f69dec6c5/skills/tune-dependabot-config/SKILL.md" target="_blank">an LLM skill to implement items 1 and 2</a></li> </ol> <h2 class="relative group">Cooldowns <div id="cooldowns" class="anchor"></div> <span class="absolute top-0 w-6 transition-opacity opacity-0 -start-6 not-prose group-hover:opacity-100 select-none"> <a class="text-primary-300 dark:text-neutral-700 !no-underline" href="#cooldowns" aria-label="Anchor">#</a> </span> </h2> <p>The idea behind cooldowns is essentially that unless you&rsquo;re constantly in YOLO mode, you probably don&rsquo;t need something that was released to the world 5 minutes or even 5 days ago. Yes, there are exceptions (security updates, some brand new thing, etc). Just waiting a few days (or a week) can reduce your exposure to supply chain attacks because a large percentage of compromised packages will have been discovered in the hours/days after a release. It&rsquo;s not a silver bullet, but it mitigates your exposure to some extent.</p> <h2 class="relative group">Dependabot groups <div id="dependabot-groups" class="anchor"></div> <span class="absolute top-0 w-6 transition-opacity opacity-0 -start-6 not-prose group-hover:opacity-100 select-none"> <a class="text-primary-300 dark:text-neutral-700 !no-underline" href="#dependabot-groups" aria-label="Anchor">#</a> </span> </h2> <p>The idea behind Dependabot groups is that you have an escape hatch out of Dependabot pull request hell, where X pull requests are opened that all touch the same files, generally require rebasing if you merge them serially, and sometimes break your CI because they should have been bundled together.</p> <p>If you&rsquo;ve ever been in the position of Dependabot proposing major version upgrades to the <a href="https://github.com/actions/upload-artifact" target="_blank">upload-artifact</a> action and the <a href="https://github.com/actions/download-artifact" target="_blank">download-artifact</a> action in discrete pull requests, you probably know what I&rsquo;m talking about. Neither PR on its own will pass CI. Merging either PR breaks your top level CI. You either need to fix this manually by combining the PRs before merge or merge both broken PRs individually and hope for the best. Similarly, if you have a bunch of different minor version updates to your npm dependencies, which all touch the same lockfile, you may also appreciate being able to group your dependencies.</p> <h2 class="relative group">The skill <div id="the-skill" class="anchor"></div> <span class="absolute top-0 w-6 transition-opacity opacity-0 -start-6 not-prose group-hover:opacity-100 select-none"> <a class="text-primary-300 dark:text-neutral-700 !no-underline" href="#the-skill" aria-label="Anchor">#</a> </span> </h2> <p>I have too many repositories to want to manage this by hand, especially when I have a number of slightly different dependabot configs. There&rsquo;s not necessarily a one-size-fits-all solution. So, a good fit for me is to use <a href="https://github.com/oalders/kitchen-sink/blob/bba1217882b1570d081623190784404f69dec6c5/skills/tune-dependabot-config/SKILL.md" target="_blank">a Claude skill to update my deps</a>.<sup id="fnref:1"><a href="#fn:1" class="footnote-ref" role="doc-noteref">1</a></sup> My &ldquo;tune dependabot&rdquo; skill will examine a dependabot config and apply cooldowns as well as groups, where needed. If the config does not yet exist, it&rsquo;s happy to create a new one from scratch. For me this is a quality of life thing as I have accumulated too many repositories for this kind of banal work to be enjoyable. In addition to the security benefits, it also reduces some of the friction that comes with having to merge a lot of dependabot pull requests on an ongoing basis.</p> <h2 class="relative group">A tuned config <div id="a-tuned-config" class="anchor"></div> <span class="absolute top-0 w-6 transition-opacity opacity-0 -start-6 not-prose group-hover:opacity-100 select-none"> <a class="text-primary-300 dark:text-neutral-700 !no-underline" href="#a-tuned-config" aria-label="Anchor">#</a> </span> </h2> <p>Here&rsquo;s a sample, tuned config file. GitHub Actions gets two groups: major version bumps are batched together so that changes to things like <code>upload-artifact</code> and <code>download-artifact</code> can be merged together, with minor and patch updates bundled into their own pull request. The <code>gomod</code> and <code>npm</code> ecosystems only group minor and patch updates, which allows the major version bumps to be tested in isolation. Every ecosystem gets a one week cooldown period.</p> <div class="highlight-wrapper"><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="nt">version</span><span class="p">:</span><span class="w"> </span><span class="m">2</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">updates</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">package-ecosystem</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;github-actions&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">directory</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;/&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">schedule</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">interval</span><span class="p">:</span><span class="w"> </span><span class="l">weekly</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">groups</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">major-updates</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">patterns</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="s2">&#34;*&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">update-types</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="s2">&#34;major&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">minor-and-patch</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">patterns</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="s2">&#34;*&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">update-types</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="s2">&#34;minor&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="s2">&#34;patch&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">cooldown</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">default-days</span><span class="p">:</span><span class="w"> </span><span class="m">7</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">package-ecosystem</span><span class="p">:</span><span class="w"> </span><span class="l">gomod</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">directory</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;/go&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">schedule</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">interval</span><span class="p">:</span><span class="w"> </span><span class="l">weekly</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">open-pull-requests-limit</span><span class="p">:</span><span class="w"> </span><span class="m">10</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">groups</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">minor-and-patch</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">patterns</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="s2">&#34;*&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">update-types</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="s2">&#34;minor&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="s2">&#34;patch&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">cooldown</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">default-days</span><span class="p">:</span><span class="w"> </span><span class="m">7</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">package-ecosystem</span><span class="p">:</span><span class="w"> </span><span class="l">npm</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">directory</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;/&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">schedule</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">interval</span><span class="p">:</span><span class="w"> </span><span class="l">weekly</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">open-pull-requests-limit</span><span class="p">:</span><span class="w"> </span><span class="m">10</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">groups</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">minor-and-patch</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">patterns</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="s2">&#34;*&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">update-types</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="s2">&#34;minor&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="s2">&#34;patch&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">cooldown</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">default-days</span><span class="p">:</span><span class="w"> </span><span class="m">7</span></span></span></code></pre></div></div> <p>This gets me fewer rebases, boring CI, and a few extra days of waiting while the rest of the world identifies the bad actors.</p> <div class="footnotes" role="doc-endnotes"> <hr> <ol> <li id="fn:1"> <p>Written with <a href="https://github.com/obra/superpowers" target="_blank">Superpowers</a>, as usual.&#160;<a href="#fnref:1" class="footnote-backref" role="doc-backlink">&#x21a9;&#xfe0e;</a></p> </li> </ol> </div> <p><a href="https://www.olafalders.com/2026/05/19/On-Cooldowns-and-Dependabot-Tuning/">Read on website</a></p>