← Back to scan
File as GitHub Issue repo: lfnovo/open-notebook

Push this scan report to lfnovo/open-notebook

Click the green button below to open GitHub’s new-issue form, pre-filled with the report title, summary table, top findings, and an embedded score-card image. No authentication needed — you review on GitHub before submitting. Repobility is credited as the scanner.

Embedded score card image

This image will render at the top of the issue body. Hosted on Repobility, refreshes automatically after re-scans.

Repobility score card

Issue title

Log Injection / Log Forging — unsanitized user input in log

Curate findings to include

Pick exactly which findings appear in the issue body. By default the top 5 are included. Uncheck noise, check what matters.

Top 5 (default)
Severity Rule Title File:line
MED ERR001 [ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even… api/routers/languages.py:62
MED ERR001 [ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even… api/routers/languages.py:62
MED SEC034 [SEC034] Log Injection / Log Forging — unsanitized user input in log: User input is logge… commands/podcast_commands.py:79
MED SEC034 [SEC034] Log Injection / Log Forging — unsanitized user input in log: User input is logge… commands/example_commands.py:52
MED SEC034 [SEC034] Log Injection / Log Forging — unsanitized user input in log: User input is logge… api/routers/embedding_rebuild.py:31
MED SEC034 [SEC034] Log Injection / Log Forging — unsanitized user input in log: User input is logge… commands/podcast_commands.py:79
MED SEC034 [SEC034] Log Injection / Log Forging — unsanitized user input in log: User input is logge… commands/example_commands.py:52
MED SEC034 [SEC034] Log Injection / Log Forging — unsanitized user input in log: User input is logge… api/routers/embedding_rebuild.py:31
MED SEC015 [SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. … api/chat_service.py:39
MED SEC015 [SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. … api/chat_service.py:39
MED MINED111 Bare except continues silently open_notebook/ai/connection_tester.py:167
MED MINED111 Bare except continues silently open_notebook/ai/connection_tester.py:167
MED MINED111 Bare except continues silently open_notebook/ai/connection_tester.py:128
MED MINED111 Bare except continues silently open_notebook/ai/connection_tester.py:128
MED MINED111 Bare except continues silently open_notebook/ai/connection_tester.py:93
MED MINED111 Bare except continues silently open_notebook/utils/encryption.py:163
MED MINED111 Bare except continues silently open_notebook/utils/chunking.py:191
MED MINED111 Bare except continues silently open_notebook/ai/connection_tester.py:93
MED MINED111 Bare except continues silently open_notebook/database/async_migrate.py:215
MED MINED111 Bare except continues silently open_notebook/utils/encryption.py:163
MED MINED111 Bare except continues silently open_notebook/database/async_migrate.py:205
MED MINED111 Bare except continues silently open_notebook/utils/chunking.py:191
MED MINED111 Bare except continues silently open_notebook/podcasts/models.py:259
MED MINED111 Bare except continues silently open_notebook/database/async_migrate.py:215
MED MINED111 Bare except continues silently open_notebook/podcasts/models.py:241
MED MINED111 Bare except continues silently open_notebook/database/async_migrate.py:205
MED MINED111 Bare except continues silently open_notebook/domain/provider_config.py:268
MED MINED109 Mutable default argument in `relate` (dict) open_notebook/domain/base.py:217
MED MINED111 Bare except continues silently open_notebook/podcasts/models.py:259
MED MINED111 Bare except continues silently api/routers/chat.py:450
MED MINED111 Bare except continues silently open_notebook/podcasts/models.py:241
MED MINED111 Bare except continues silently open_notebook/domain/provider_config.py:268
MED MINED111 Bare except continues silently api/routers/podcasts.py:106
MED MINED109 Mutable default argument in `relate` (dict) open_notebook/domain/base.py:217
MED MINED111 Bare except continues silently api/routers/podcasts.py:158
MED MINED111 Bare except continues silently api/routers/chat.py:450
MED MINED111 Bare except continues silently api/routers/context.py:41
MED MINED111 Bare except continues silently api/routers/podcasts.py:106
MED MINED111 Bare except continues silently api/routers/commands.py:150
MED MINED111 Bare except continues silently api/routers/podcasts.py:158
MED MINED111 Bare except continues silently api/routers/context.py:41
MED MINED111 Bare except continues silently api/routers/commands.py:150
MED MINED111 Bare except continues silently api/credentials_service.py:338
MED MINED111 Bare except continues silently api/credentials_service.py:338
MED AUC001 [AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks…
MED AUC001 [AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks…
MED DKR017 Dockerfile installs dependencies after copying the full source tree Dockerfile:56
MED DKR017 Dockerfile installs dependencies after copying the full source tree Dockerfile:56
MED DEPCUR-NPM npm package `react-markdown` is 1 major version(s) behind (9.0.3 -> 10.1.0) frontend/package.json
MED DEPCUR-NPM npm package `react-markdown` is 1 major version(s) behind (9.0.3 -> 10.1.0) frontend/package.json
MED GHSA-r73j-pqj5-w3x7 pillow: GHSA-r73j-pqj5-w3x7 uv.lock
MED GHSA-r73j-pqj5-w3x7 pillow: GHSA-r73j-pqj5-w3x7 uv.lock
MED GHSA-5xmw-vc9v-4wf2 pillow: GHSA-5xmw-vc9v-4wf2 uv.lock
MED GHSA-5xmw-vc9v-4wf2 pillow: GHSA-5xmw-vc9v-4wf2 uv.lock
MED GHSA-g48c-2wqr-h844 langgraph: GHSA-g48c-2wqr-h844 uv.lock
MED GHSA-g48c-2wqr-h844 langgraph: GHSA-g48c-2wqr-h844 uv.lock
MED GHSA-jg22-mg44-37j8 aiohttp: GHSA-jg22-mg44-37j8 uv.lock
MED GHSA-jg22-mg44-37j8 aiohttp: GHSA-jg22-mg44-37j8 uv.lock
MED GHSA-hg6j-4rv6-33pg aiohttp: GHSA-hg6j-4rv6-33pg uv.lock
MED GHSA-hg6j-4rv6-33pg aiohttp: GHSA-hg6j-4rv6-33pg uv.lock
MED GHSA-58qx-3vcg-4xpx ws: GHSA-58qx-3vcg-4xpx frontend/package-lock.json
MED GHSA-58qx-3vcg-4xpx ws: GHSA-58qx-3vcg-4xpx frontend/package-lock.json
MED GHSA-qx2v-qp2m-jg93 postcss: GHSA-qx2v-qp2m-jg93 frontend/package-lock.json
MED GHSA-qx2v-qp2m-jg93 postcss: GHSA-qx2v-qp2m-jg93 frontend/package-lock.json
MED GHSA-f886-m6hf-6m8v brace-expansion: GHSA-f886-m6hf-6m8v frontend/package-lock.json
MED GHSA-f886-m6hf-6m8v brace-expansion: GHSA-f886-m6hf-6m8v frontend/package-lock.json
MED GHSA-2g4f-4pwh-qvx6 ajv: GHSA-2g4f-4pwh-qvx6 frontend/package-lock.json
MED GHSA-2g4f-4pwh-qvx6 ajv: GHSA-2g4f-4pwh-qvx6 frontend/package-lock.json
MED DKR001 Docker final stage has no non-root USER Dockerfile.single:54
MED DKR001 Docker final stage has no non-root USER Dockerfile.single:54
MED DKR001 Docker final stage has no non-root USER Dockerfile:68
MED DKR001 Docker final stage has no non-root USER Dockerfile:68
MED SEC017 [SEC017] Unbounded Input to LLM/External API: User input is passed to an LLM or external … open_notebook/graphs/ask.py:110
MED SEC017 [SEC017] Unbounded Input to LLM/External API: User input is passed to an LLM or external … open_notebook/graphs/ask.py:110
MED WEB003 Public web service has no security.txt .well-known/security.txt
MED WEB003 Public web service has no security.txt .well-known/security.txt
MED DKR014 Dockerfile copies broad context with incomplete .dockerignore Dockerfile.single:75
MED DKR014 Dockerfile copies broad context with incomplete .dockerignore Dockerfile.single:75
MED DKR014 Dockerfile copies broad context with incomplete .dockerignore Dockerfile:90
MED DKR014 Dockerfile copies broad context with incomplete .dockerignore Dockerfile:90
MED DKR014 Dockerfile copies broad context with incomplete .dockerignore Dockerfile:44
MED DKR014 Dockerfile copies broad context with incomplete .dockerignore Dockerfile:44
MED AUC002 [AUC002] Low visible authorization coverage in route inventory: Only 14.3% of discovered …
MED AUC002 [AUC002] Low visible authorization coverage in route inventory: Only 14.3% of discovered …
MED AUC012 [AUC012] FastAPI interactive docs may be exposed by framework defaults: FastAPI exposes /…
MED AUC012 [AUC012] FastAPI interactive docs may be exposed by framework defaults: FastAPI exposes /…
MED AGT015 Remote install command pipes network code directly to a shell docs/1-INSTALLATION/from-source.md:11
MED AGT015 Remote install command pipes network code directly to a shell docs/1-INSTALLATION/from-source.md:11
MED AUC009 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears … api/routers/sources.py:946
MED AUC009 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears … api/routers/sources.py:946
MED AUC009 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears … api/routers/credentials.py:259
MED AUC009 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears … api/routers/credentials.py:259
MED AUC009 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears … api/routers/transformations.py:235
MED AUC009 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears … api/routers/transformations.py:235
MED AUC009 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears … api/routers/insights.py:37
MED AUC009 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears … api/routers/insights.py:37
MED AUC009 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears … api/routers/speaker_profiles.py:135
MED AUC009 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears … api/routers/speaker_profiles.py:135
MED AUC009 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears … api/routers/models.py:252
MED AUC009 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears … api/routers/models.py:252
MED AUC009 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears … api/routers/episode_profiles.py:165
MED AUC009 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears … api/routers/episode_profiles.py:165
MED AUC009 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears … api/routers/podcasts.py:272
MED AUC009 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears … api/routers/podcasts.py:272
MED AUC009 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears … api/routers/context.py:12
MED AUC009 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears … api/routers/context.py:12
MED AUC009 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears … api/routers/commands.py:108
MED AUC009 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears … api/routers/commands.py:108
MED AUC004 [AUC004] Admin route does not show super_admin separation: An administrative route was de… api/routers/settings.py:31
MED AUC004 [AUC004] Admin route does not show super_admin separation: An administrative route was de… api/routers/settings.py:31
MED AUC004 [AUC004] Admin route does not show super_admin separation: An administrative route was de… api/routers/settings.py:11
MED AUC004 [AUC004] Admin route does not show super_admin separation: An administrative route was de… api/routers/settings.py:11
MED AUC004 [AUC004] Admin route does not show super_admin separation: An administrative route was de… api/routers/search.py:17
MED AUC004 [AUC004] Admin route does not show super_admin separation: An administrative route was de… api/routers/search.py:17
MED AUC004 [AUC004] Admin route does not show super_admin separation: An administrative route was de… api/routers/embedding.py:12
MED AUC004 [AUC004] Admin route does not show super_admin separation: An administrative route was de… api/routers/embedding.py:12
LOW COMP001 [COMP001] High cognitive complexity: Function `get_job_status` has cognitive complexity 1… api/podcast_service.py:115
LOW COMP001 [COMP001] High cognitive complexity: Function `get_job_status` has cognitive complexity 1… api/podcast_service.py:115
LOW COMP001 [COMP001] High cognitive complexity: Function `submit_generation_job` has cognitive compl… api/podcast_service.py:37
LOW COMP001 [COMP001] High cognitive complexity: Function `submit_generation_job` has cognitive compl… api/podcast_service.py:37
LOW COMP001 [COMP001] High cognitive complexity: Function `get_command_status` has cognitive complexi… api/command_service.py:47
LOW COMP001 [COMP001] High cognitive complexity: Function `get_command_status` has cognitive complexi… api/command_service.py:47
LOW DEPCUR-NPM npm package `@types/react-dom` is minor version(s) behind (19.1.6 -> 19.2.3) frontend/package.json
LOW DEPCUR-NPM npm package `use-debounce` is minor version(s) behind (10.0.6 -> 10.1.1) frontend/package.json
LOW DEPCUR-NPM npm package `tailwind-merge` is minor version(s) behind (3.3.1 -> 3.6.0) frontend/package.json
LOW DEPCUR-NPM npm package `@types/react-dom` is minor version(s) behind (19.1.6 -> 19.2.3) frontend/package.json
LOW DEPCUR-NPM npm package `use-debounce` is minor version(s) behind (10.0.6 -> 10.1.1) frontend/package.json
LOW DEPCUR-NPM npm package `axios` is minor version(s) behind (1.16.0 -> 1.17.0) frontend/package.json
LOW DEPCUR-NPM npm package `tailwind-merge` is minor version(s) behind (3.3.1 -> 3.6.0) frontend/package.json
LOW DEPCUR-NPM npm package `@uiw/react-md-editor` is minor version(s) behind (4.0.8 -> 4.1.1) frontend/package.json
LOW DEPCUR-NPM npm package `@tanstack/react-query` is minor version(s) behind (5.83.0 -> 5.101.0) frontend/package.json
LOW DEPCUR-NPM npm package `axios` is minor version(s) behind (1.16.0 -> 1.17.0) frontend/package.json
LOW DEPCUR-NPM npm package `@uiw/react-md-editor` is minor version(s) behind (4.0.8 -> 4.1.1) frontend/package.json
LOW DEPCUR-NPM npm package `@tanstack/react-query` is minor version(s) behind (5.83.0 -> 5.101.0) frontend/package.json
LOW DEPCUR-NPM npm package `@hookform/resolvers` is minor version(s) behind (5.1.1 -> 5.4.0) frontend/package.json
LOW DEPCUR-NPM npm package `@hookform/resolvers` is minor version(s) behind (5.1.1 -> 5.4.0) frontend/package.json
LOW GHSA-xffm-g5w8-qvg7 @eslint/plugin-kit: GHSA-xffm-g5w8-qvg7 frontend/package-lock.json
LOW GHSA-xffm-g5w8-qvg7 @eslint/plugin-kit: GHSA-xffm-g5w8-qvg7 frontend/package-lock.json
LOW AIC003 Duplicated implementation block across source files open_notebook/graphs/source_chat.py:117
LOW AIC003 Duplicated implementation block across source files open_notebook/graphs/source_chat.py:117
LOW AIC003 Duplicated implementation block across source files open_notebook/domain/provider_config.py:175
LOW AIC003 Duplicated implementation block across source files open_notebook/domain/provider_config.py:175
LOW AIC003 Duplicated implementation block across source files frontend/src/lib/hooks/useSourceChat.ts:32
LOW AIC003 Duplicated implementation block across source files frontend/src/lib/hooks/useSourceChat.ts:32
LOW AIC003 Duplicated implementation block across source files frontend/src/lib/hooks/use-models.ts:132
LOW AIC003 Duplicated implementation block across source files frontend/src/lib/api/source-chat.ts:41
LOW AIC003 Duplicated implementation block across source files frontend/src/components/sources/SourceC…:258
LOW AIC003 Duplicated implementation block across source files frontend/src/components/source/SourceIn…:113
LOW AIC003 Duplicated implementation block across source files frontend/src/components/source/SourceDe…:490
LOW AIC003 Duplicated implementation block across source files frontend/src/components/source/ChatPane…:325
LOW AIC003 Duplicated implementation block across source files frontend/src/components/search/Streamin…:161
LOW AIC003 Duplicated implementation block across source files frontend/src/components/podcasts/forms/…:121
LOW AIC003 Duplicated implementation block across source files frontend/src/components/podcasts/Speake…:13
LOW AIC003 Duplicated implementation block across source files frontend/src/components/podcasts/Speake…:11
LOW AIC003 Duplicated implementation block across source files frontend/src/components/podcasts/Episod…:11
LOW AIC003 Duplicated implementation block across source files api/routers/context.py:19
LOW AIC003 Duplicated implementation block across source files api/podcast_service.py:88
LOW AIC003 Duplicated implementation block across source files api/notes_service.py:30
LOW AIC003 Duplicated implementation block across source files frontend/src/lib/hooks/use-models.ts:132
LOW AIC003 Duplicated implementation block across source files frontend/src/lib/api/source-chat.ts:41
LOW AIC003 Duplicated implementation block across source files frontend/src/components/sources/SourceC…:258
LOW AIC003 Duplicated implementation block across source files frontend/src/components/source/SourceIn…:113
LOW AIC003 Duplicated implementation block across source files frontend/src/components/source/SourceDe…:490
LOW AIC003 Duplicated implementation block across source files frontend/src/components/source/ChatPane…:325
LOW AIC003 Duplicated implementation block across source files frontend/src/components/search/Streamin…:161
LOW AIC003 Duplicated implementation block across source files frontend/src/components/podcasts/forms/…:121
LOW AIC003 Duplicated implementation block across source files frontend/src/components/podcasts/Speake…:13
LOW AIC003 Duplicated implementation block across source files frontend/src/components/podcasts/Speake…:11
LOW AIC003 Duplicated implementation block across source files frontend/src/components/podcasts/Episod…:11
LOW AIC003 Duplicated implementation block across source files api/routers/context.py:19
LOW AIC003 Duplicated implementation block across source files api/podcast_service.py:88
LOW AIC003 Duplicated implementation block across source files api/notes_service.py:30
LOW DKR011 Dockerfile installs recommended OS packages Dockerfile.single:57
LOW DKR011 Dockerfile installs recommended OS packages Dockerfile.single:57
LOW DKR008 .dockerignore misses sensitive defaults .dockerignore
LOW DKR008 .dockerignore misses sensitive defaults .dockerignore
LOW DKC010 Compose service lacks no-new-privileges hardening docker-compose.yml:14
LOW DKC010 Compose service lacks no-new-privileges hardening docker-compose.yml:14
LOW DKC010 Compose service lacks no-new-privileges hardening docker-compose.yml:1
LOW DKC010 Compose service lacks no-new-privileges hardening docker-compose.yml:1
LOW DKC006 Compose service does not declare a runtime user docker-compose.yml:14
LOW DKC006 Compose service does not declare a runtime user docker-compose.yml:14
INFO MINED067 [MINED067] Python Requests No Timeout: requests.get/post/etc. without timeout= can hang f… open_notebook/utils/version_utils.py:93
INFO MINED067 [MINED067] Python Requests No Timeout: requests.get/post/etc. without timeout= can hang f… open_notebook/utils/version_utils.py:93
INFO MINED056 [MINED056] React Key As Index: key={index} in map() — re-renders the wrong elements on re… frontend/src/components/ui/checkbox-lis…:34
INFO MINED056 [MINED056] React Key As Index: key={index} in map() — re-renders the wrong elements on re… frontend/src/components/search/Streamin…:89
INFO MINED043 [MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle cr… frontend/src/components/errors/Connecti…:83
INFO MINED058 [MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escapi… frontend/src/app/layout.tsx:27
INFO MINED045 [MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError … frontend/src/app/(dashboard)/notebooks/…:89
INFO MINED044 [MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger … frontend/src/app/(dashboard)/notebooks/…:100
INFO MINED044 [MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger … frontend/src/app/(dashboard)/advanced/c…:24
INFO MINED056 [MINED056] React Key As Index: key={index} in map() — re-renders the wrong elements on re… frontend/src/components/ui/checkbox-lis…:34
INFO MINED044 [MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger … frontend/next.config.ts:24
INFO MINED056 [MINED056] React Key As Index: key={index} in map() — re-renders the wrong elements on re… frontend/src/components/search/Streamin…:89
INFO MINED076 [MINED076] Catch And Reraise Noop: except X: raise X — adds no value, hides traceback if … commands/podcast_commands.py:285
INFO MINED043 [MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle cr… frontend/src/components/errors/Connecti…:83
INFO MINED062 [MINED062] Python Dataclass No Fields: @dataclass over an empty class — unfinished model. api/sources_service.py:14
INFO MINED058 [MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escapi… frontend/src/app/layout.tsx:27
INFO MINED045 [MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError … frontend/src/app/(dashboard)/notebooks/…:89
INFO MINED050 [MINED050] Stub Only Function: Function declared but body is just pass, return None, rais… open_notebook/exceptions.py:3
Reset to top 5 200 findings available (after auto-suppression of test files + won't-fix)

Issue body (markdown)

## Code-quality scan: `lfnovo/open-notebook`

**Score: 47/100 (C-)**  ·  278 findings  ·  scanned 2026-06-04 23:17 UTC  ·  59,590 LOC

| Severity | Count |
|---|---|
| CRITICAL | 40 |
| HIGH | 216 |
| MEDIUM | 116 |
| LOW | 66 |

📊 [Full filterable report](https://repobility.com/scan/6acf376e-b59e-454e-a3e7-70f3dcebe5a4/)  ·  ![scorecard](https://repobility.com/scan/6acf376e-b59e-454e-a3e7-70f3dcebe5a4/report.png?v=1780615040-s2)

### Top findings

1. **MEDIUM** `ERR001` — Silent Exception Swallowing
   `api/routers/languages.py:62`
2. **MEDIUM** `ERR001` — Silent Exception Swallowing
   `api/routers/languages.py:62`
3. **MEDIUM** `SEC034` — Log Injection / Log Forging — unsanitized user input in log
   `commands/podcast_commands.py:79` · CWE-117 · A09:2021 Security Logging & Monitoring Failures
4. **MEDIUM** `SEC034` — Log Injection / Log Forging — unsanitized user input in log
   `commands/example_commands.py:52` · CWE-117 · A09:2021 Security Logging & Monitoring Failures
5. **MEDIUM** `SEC034` — Log Injection / Log Forging — unsanitized user input in log
   `api/routers/embedding_rebuild.py:31` · CWE-117 · A09:2021 Security Logging & Monitoring Failures

---

_Filed automatically. Close this issue if not useful — we won't refile. Full report: https://repobility.com/scan/6acf376e-b59e-454e-a3e7-70f3dcebe5a4/_
Megaproject â high spam risk
Could not determine 'lfnovo/open-notebook' star count (GitHub API rate-limited or unreachable). When in doubt about repo size, prefer opening a focused PR or a discussion rather than an issue.
Open in GitHub to file this issue Cancel

The button opens GitHubâs new-issue page in a new tab. You will see the title + body pre-filled â review, edit if you want, then click GitHubâs "Submit new issue" button. Repobility never posts anything on your behalf.

For real security findings on big repos: use the project's SECURITY.md or private advisory flow instead of a public issue.