Skip to content

Security: rahulkaushal04/depkeeper

Security

Report a vulnerability

SECURITY.md

depkeeper Security Policy

We take the security of depkeeper seriously. This document outlines how we handle vulnerability reports, which versions are supported, and how users can stay secure.

πŸ” Supported Versions

We provide security patches only for the latest 0.1.x series.

Version Supported
0.1.x βœ”οΈ Yes
< 0.1 ❌ No

As depkeeper is in early development, we strongly recommend upgrading to the latest release at all times.

🚨 Reporting a Vulnerability

Do NOT create public GitHub issues for security vulnerabilities.

To responsibly disclose a vulnerability, please use one of the following private channels:

  • The repository’s Security tab β†’ Report a vulnerability
  • A private GitHub Discussion with the maintainers

We appreciate coordinated disclosure and will work with you to verify, fix, and publicly disclose issues responsibly.

Include in Your Report

  1. Description - Clear explanation of the issue
  2. Impact - What an attacker could achieve
  3. Affected Versions - Specific versions tested
  4. Reproduction Steps - Required to verify the issue
  5. Proof of Concept (PoC) - If available
  6. Potential Fix - If you have thoughts or patches

Example format:


Subject: [SECURITY] Vulnerability in requirements parser

Description:
A crafted requirements.txt triggers arbitrary code execution …

Impact:
Remote code execution during dependency checks …

Affected Versions:
0.1.0 - 0.1.5

Reproduction:

1. Create file X
2. Run `depkeeper check`
3. Observe behavior

Proof of Concept:
[link or attachment]

Suggested Fix:
Sanitize inputs in parser and enforce safe evaluation rules.

⏱️ What to Expect

Response Timeline

  • 48 hours β†’ Initial acknowledgment
  • 5 business days β†’ Validation decision
  • Every 5-7 days β†’ Status updates
  • Within 30 days β†’ Target resolution for critical vulnerabilities

Our Process

  1. Acknowledge receipt
  2. Investigate & validate
  3. Develop and test a fix
  4. Coordinate disclosure with reporter
  5. Publish a GitHub Security Advisory
  6. Credit researcher (if desired)

πŸ“£ Security Advisory Process

When a vulnerability is fixed, we will:

  • Publish a GitHub Security Advisory
  • Release a patched version
  • Update CHANGELOG.md with a [SECURITY] entry
  • Announce the fix through GitHub Releases

Advisories are published at: https://github.com/rahulkaushal04/depkeeper/security/advisories

πŸ›‘οΈ Scope of Security Reports

In Scope

  • Parser, resolver, updater logic
  • Requirements file handling (malicious input)
  • CLI command injection / unsafe shell execution
  • Unsafe file operations or path traversal
  • SSRF, MITM, insecure HTTP behavior
  • Authentication issues with private indices
  • Dependency chain vulnerabilities affecting depkeeper

Out of Scope

  • Vulnerabilities in third-party dependencies
  • DoS requiring extreme resources
  • Social engineering
  • Physical access attacks
  • Developer-only tooling issues
  • Unsupported versions

πŸŽ–οΈ Researcher Recognition

While depkeeper currently has no paid bug bounty program, we do:

  • Credit reporters in advisories
  • Mention them in the changelog
  • Add them to contributor acknowledgments
  • Provide signed recommendation letters (if requested)

A bounty program may be introduced in the future.

πŸ”’ Security Best Practices for depkeeper Users

Safe Usage

  • Always use the latest version
  • Only run depkeeper on trusted requirements files
  • Review suggested updates before applying
  • Use virtual environments
  • Avoid running as root unless necessary

Example: Secure Configuration

# depkeeper.toml
[depkeeper]
verify_ssl = true
force_https = true
concurrent_requests = 10

[depkeeper.security]
check_security = true
fail_on_critical = true
require_hashes = false  # Recommended: true for maximum safety

Private PyPI Indices

Use environment variables or credential managers:

export DEPKEEPER_PYPI_TOKEN=your_token_here
depkeeper update

Avoid hardcoding tokens or passwords.

🧰 Current Security Features

  • βœ”οΈ HTTPS-only communication
  • βœ”οΈ SSL certificate verification
  • βœ”οΈ Input validation & sanitization
  • βœ”οΈ Safe path handling
  • βœ”οΈ Atomic file writes & backups
  • βœ”οΈ Dry-run mode
  • βœ”οΈ Dependency hash verification support

Planned

  • πŸ”„ Vulnerability scanning
  • πŸ”„ Lockfile w/ integrity
  • πŸ”„ Package signature verification
  • πŸ”„ SBOM generation
  • πŸ”„ Suspicious update detection (supply-chain safety)

πŸ” Known Security Considerations

Requirements File Parsing

Mitigated by:

  • The packaging library
  • Avoidance of unsafe parsing operations
  • Strict validation rules

Network Requests

Mitigated by:

  • HTTPS enforcement
  • TLS verification
  • Configurable indices
  • Request throttling

File System Access

Mitigated by:

  • Path normalization
  • Restricted write locations
  • Automatic backup creation

πŸ“ Vulnerability Disclosure Timeline

Typical flow:

Day Action
0 Vulnerability privately reported
1-5 Triage & validation
5-30 Fix development & testing
~30 Public disclosure & advisory

Earlier disclosure may occur if:

  • Active exploitation is observed
  • Vulnerability is public elsewhere
  • Issue is trivial to reproduce

πŸ“¬ Contact & Reporting

πŸ™ Acknowledgments

Thanks to all researchers who help keep depkeeper secure. (Currently no reported vulnerabilities.)

There aren’t any published security advisories