As Forkana is a fork of Gitea, please see Gitea's security policy.

If you want to also inform us, please join our Slack and DM @greg. You can also securely contact Greg via Keybase.

Forkana delays dependency updates for ecosystems with native age controls:

• Node.js/frontend dependencies use pnpm minimumReleaseAge: 20160 in pnpm-workspace.yaml.
• Python/tooling dependencies use uv exclude-newer = "14 days" in pyproject.toml.
• Go: No native age gating exists as of Go 1.25. While go.sum and GOSUMDB ensure package integrity and prevent tampering, they do not provide supply-chain age controls. Age-gating for Go is currently tracked as a separate follow-up item.