If you discover a security vulnerability in HolyCode:

1. Do not open a public GitHub issue
2. Email CoderLuii@outlook.com with:
   • Description of the vulnerability
   • Steps to reproduce
   • Potential impact
3. You will receive a response within 48 hours

HolyCode ships many third-party CLIs inside one Docker image. Tagged releases refresh the pinned Dockerfile tools, but optional OpenCode plugins are installed by OpenCode at container startup when you enable them. Dependabot alerts are not currently enabled for this repository, so release audits record npm, PyPI, OSV, Docker, and workflow checks directly.