Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
It is a good practice to inform how to report vulnerabilities, which is what
SECURITY.md
file is for.I have worded this inSECURITY.md
file:> However, the dependencies of a given Annif release are pinned only on minor version levelBut this is actually not true;[Edited this part to include a true statement.]There are the following patch level version pinnings:
2.14.2
0.9.2
1.4.1
0.4.5
Right now I don't remember why they are pinned to patch level. Need to check that. It would be good that all (security) patches of dependencies could be applied without the need to update Annif version. Does some of these dependencies have such a backward compatibility policy that conflicts with Annif's policy?
Also reword the bottom list.[Done.]Also at the moment Annif repo has Security advisories enabled (I enabled it when looking at this security reporting a while ago), which allows anyone to give a report via navigating to the Security tab in this repo. Having two reporting ways (finto-posti email and this reporting) can be confusing, so maybe the Security advisories functionality should be disabled.