diff --git a/updater/lib/dependabot/job.rb b/updater/lib/dependabot/job.rb
index 75f052e905..ecd32ee640 100644
--- a/updater/lib/dependabot/job.rb
+++ b/updater/lib/dependabot/job.rb
@@ -428,6 +428,7 @@ def build_update_strategy(requirements_update_strategy:, lockfile_only:)
     sig { params(source_details: T::Hash[String, T.untyped]).returns(Dependabot::Source) }
     def build_source(source_details)
       # Immediately normalize the source directory, ensure it starts with a "/"
+      # Uses Pathname#cleanpath to prevent users from maliciously using paths like ../.. to access other directories.
       directory, directories = clean_directories(source_details)
 
       Dependabot::Source.new(