Only the latest release is supported with security fixes.

docvet is a static analysis tool that reads Python source files and calls git via subprocess. By design it:

• Parses .py files using Python's ast module (no eval, no exec)
• Runs git diff, git blame, and git log via subprocess.run with explicit argument lists (no shell expansion)
• Does not make network requests, download packages, or execute analyzed code

Reports about these expected behaviors are not security vulnerabilities. If you believe docvet's approach in these areas can be hardened, please open a regular issue.

Please report security vulnerabilities through GitHub's private vulnerability reporting.

Do not open a public issue for security vulnerabilities.

Critical vulnerabilities will be disclosed via GitHub's security advisory system.

This project runs CodeQL on every pull request and weekly, scanning for command injection, XSS, and other OWASP vulnerability patterns.