docs: explain auto-renaming of package.json to _package.json

benjamindotdev · benjamindotdev · commit d9d10592df13 · 2026-02-19T14:11:58.000+01:00
diff --git a/README.md b/README.md
@@ -81,6 +81,16 @@ npx stackscan scan --color brand
 
 ---
 
+## Dependabot & Security
+
+When hosting `package.json` files for analysis, security tools like Dependabot may incorrectly flag them as vulnerable dependencies of your project.
+
+To prevent this, StackScan will **automatically rename** any `package.json` found in `public/stackscan/` to `_package.json`.
+- Dependabot ignores `_package.json`.
+- StackScan prioritizes reading `_package.json` on future runs.
+
+---
+
 ## Output
 
 For each project in `public/stackscan/`, a `stack.json` is generated in the same folder.
