Only the latest release published on PyPI receives security fixes.
Please report vulnerabilities privately via GitHub private vulnerability reporting. Do not open a public issue for security reports. You can expect an initial response within a few days.
- checkOwners never reads a GitHub token from its config file:
github.tokenin.github/checkowners.ymlis rejected at load time because that file is committed to git. The only supported source is theGITHUB_TOKENenvironment variable. notifications.webhook_urlsupports${ENV_VAR}indirection so committed configs never need to contain internal endpoints.- The state directory (
~/.checkowners/by default) contains contributor emails and an ownership map derived from git history. PointCHECKOWNERS_STATE_DIRat an ephemeral location in CI, and avoid committing it (a.checkowners/entry ships in this repo's.gitignoreas a guard). - Core inference makes no network calls. Network access is limited to the optional GitHub API features (
githubextra) and the webhook notifier.