Security policy question

[longwave]

The Drupal project is considering adding this library as one of our development dependencies and so we're performing a standard security review. We're looking into adopting this alongside PHPStan and PHPUnit to improve our test quality: the issue in our issue tracker is https://www.drupal.org/project/drupal/issues/3326239

There is no security policy listed at https://github.com/phpstan/phpstan-phpunit/security/policy so I was wondering if you have an official policy on any security issues discovered in this module? Perhaps the policy could just be the same as PHPStan's own policy?

[ondrejmirtes]

Hello, the one at https://github.com/phpstan/phpstan/security/policy is there because the project is partially funded by Tidelift, so it's their prescribed policy for phpstan/phpstan repo. I'm gonna change it a bit - only Tidelift subscribers should use that route, otherwise they should contact me directly.

I just added an organization-wide one: https://github.com/phpstan/.github/commit/60dcb74dd194ec9f641497069916b58fe676c6a9

And it's already visible here in this repo: https://github.com/phpstan/phpstan-phpunit/security/policy

[github-actions[bot]]

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.