diff --git a/.github/ISSUE_TEMPLATE/bug.yml b/.github/ISSUE_TEMPLATE/bug.yml index f285bcce4c81e..9f53f82167bbb 100644 --- a/.github/ISSUE_TEMPLATE/bug.yml +++ b/.github/ISSUE_TEMPLATE/bug.yml @@ -17,6 +17,13 @@ body: options: - label: I am using the latest npm required: true +- type: checkboxes + attributes: + label: This is not just a request to bump a dependency for a CVE + description: npm bundles its dependencies and updates them on a regular cadence, so transitive-dependency CVEs are picked up automatically. Issues opened solely to request a dependency bump for a CVE will be closed. To report an actual vulnerability in npm, please follow our [security policy](https://github.com/npm/cli/blob/latest/SECURITY.md) instead. + options: + - label: This is not solely a request to bump a dependency for a CVE + required: true - type: textarea attributes: label: Current Behavior diff --git a/.github/ISSUE_TEMPLATE/config.yml b/.github/ISSUE_TEMPLATE/config.yml index a3ab3b2a3b465..9ce009674b3bd 100644 --- a/.github/ISSUE_TEMPLATE/config.yml +++ b/.github/ISSUE_TEMPLATE/config.yml @@ -1,5 +1,8 @@ blank_issues_enabled: true contact_links: + - name: 🔒 Dependency CVE / security advisory in a bundled dependency + url: https://github.com/npm/cli/blob/latest/SECURITY.md + about: npm bundles its dependencies and updates them regularly, so transitive-dependency CVEs are picked up automatically. Please don't open an issue just to request a dependency bump for a CVE. To report a vulnerability in npm, see our security policy. - name: ❓ Help with issues in older versions of the CLI url: https://github.community/c/software-development/47 about: Find/file tickets with the community