Merge pull request #26197 from github/repo-sync

Repo sync
github · Jun 23, 2023 · 1cb1515 · 1cb1515
2 parents 82643da + 0309416
commit 1cb1515
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 2 deletions.
diff --git a/...dependabot-version-updates/configuration-options-for-the-dependabot.yml-file.md b/...dependabot-version-updates/configuration-options-for-the-dependabot.yml-file.md
@@ -137,7 +137,7 @@ updates:
 
 ### `schedule.interval`
 
-**Required**. You must define how often to check for new versions for each package manager. By default, {% data variables.product.prodname_dependabot %} randomly assigns a time to apply all the updates in the configuration file. To set a specific time, you can use [`schedule.time`](#scheduletime) and [`schedule.timezone`](#scheduletimezone). 
+**Required**. You must define how often to check for new versions for each package manager. By default, {% data variables.product.prodname_dependabot %} randomly assigns a time to apply all the updates in the configuration file. To set a specific time, you can use [`schedule.time`](#scheduletime) and [`schedule.timezone`](#scheduletimezone).
 
 {% note %}
 
@@ -1023,6 +1023,12 @@ The `npm-registry` type supports username and password, or token.
 
 When using username and password, your `.npmrc`'s auth token may contain a `base64` encoded `_password`; however, the password referenced in your {% data variables.product.prodname_dependabot %} configuration file must be the original (unencoded) password.
 
+{% note %}
+
+**Note**: When using `npm.pkg.github.com`, don't include a path. Instead use the `https://npm.pkg.github.com` URL without a path.
+
+{% endnote %}
+
 {% ifversion dependabot-private-registries %}
 {% raw %}
 ```yaml

diff --git a/...idance-on-reporting-and-writing/privately-reporting-a-security-vulnerability.md b/...idance-on-reporting-and-writing/privately-reporting-a-security-vulnerability.md
@@ -15,7 +15,11 @@ shortTitle: Privately reporting
 
 {% note %}
 
-**Note:** If you have admin or security permissions for a public repository, you don't need to submit a vulnerability report. Instead, you can create a draft security advisory directly. For more information, see "[AUTOTITLE](/code-security/security-advisories/repository-security-advisories/creating-a-repository-security-advisory)."
+**Notes:** 
+- If you have admin or security permissions for a public repository, you don't need to submit a vulnerability report. Instead, you can create a draft security advisory directly. For more information, see "[AUTOTITLE](/code-security/security-advisories/repository-security-advisories/creating-a-repository-security-advisory)."
+- The ability to privately report a vulnerability in a repository is not related to the presence of a _SECURITY.md_ file in that repository's root or `docs` directory.
+    - The _SECURITY.md_ file contains the security policy for the repository. Repository administrators can add and use this file to provide _public_ instructions for how to report a security vulnerability in their repository. For more information, see "[AUTOTITLE](/code-security/getting-started/adding-a-security-policy-to-your-repository)."
+    - You can only report a vulnerability privately for repositories where private vulnerability reporting is enabled, and you don't have to follow the instructions in the _SECURITY.md_ file. This reporting process is fully private, and {% data variables.product.prodname_dotcom %} notifies the repository administrators directly about your submission.
 
 {% endnote %}