If you find any bug with Renovate that may be a security problem, please report it through the GitHub Security Advisories process on the relevant repository. For instance, for the Advisories page for the Renovate CLI. This way we can evaluate the bug and hopefully fix it before it gets abused. Please give us enough time to investigate the bug before you report it anywhere else.

If you would like to discuss a potential finding before raising the Advisory, then e-mail us at: renovate-disclosure@mend.io.

Please do not create GitHub issues or Discussions for security-related doubts or problems.