This repository uses Dependabot to automatically monitor and update dependencies for security vulnerabilities.

1. Weekly scans: Dependabot checks for vulnerable dependencies every week
2. Automated PRs: When vulnerabilities are found, Dependabot creates pull requests with fixes
3. Review process: PRs are assigned to the dieterich-lab team for review
4. Safe updates: Only patch and minor version updates are applied automatically

• Security alerts: GitHub will notify maintainers of critical vulnerabilities
• Dependabot PRs: Automated pull requests will appear for dependency updates
• Review required: All security updates should be reviewed before merging

• Visit the Security tab on GitHub
• Check Dependabot alerts and security advisories
• Review and merge Dependabot pull requests promptly

• Dependabot is configured in .github/dependabot.yml
• Updates Python dependencies and GitHub Actions weekly
• Limited to 10 open PRs for Python dependencies, 5 for GitHub Actions

If you discover a security vulnerability, please report it by:

1. Creating an issue in this repository
2. Emailing the maintainers directly
3. Using GitHub's security advisory feature

GitHub's automated security scan currently reports 43 vulnerabilities across the dependency tree. These will be addressed through the automated Dependabot process.