If you find a security issue, don't open a public issue. Report it privately:
- GitHub Security Advisories preferred: https://github.com/Hroldddp/ContentForge/security/advisories
- Or open a draft issue with the
securitylabel
We'll acknowledge within 48 hours and give a timeline for the fix.
.envfiles — don't commit API keys- Dependencies — keep them updated
- yt-dlp — only downloads from YouTube, URLs aren't user-supplied
.envis in.gitignorebut double-checksudo pacman -Syuregularly- Review Dependabot PRs when they come in
- Run
bash setup.shafter pulling updates