From 8169639144c2bdd7c8d8fe30275299b46c63272a Mon Sep 17 00:00:00 2001
From: Nish Sinha <nishnha@github.com>
Date: Fri, 10 Jan 2025 13:00:21 -0500
Subject: [PATCH] Add a comment to hint why we clean the directories

---
 updater/lib/dependabot/job.rb | 1 +
 1 file changed, 1 insertion(+)

diff --git a/updater/lib/dependabot/job.rb b/updater/lib/dependabot/job.rb
index 75f052e905..ecd32ee640 100644
--- a/updater/lib/dependabot/job.rb
+++ b/updater/lib/dependabot/job.rb
@@ -428,6 +428,7 @@ def build_update_strategy(requirements_update_strategy:, lockfile_only:)
     sig { params(source_details: T::Hash[String, T.untyped]).returns(Dependabot::Source) }
     def build_source(source_details)
       # Immediately normalize the source directory, ensure it starts with a "/"
+      # Uses Pathname#cleanpath to prevent users from maliciously using paths like ../.. to access other directories.
       directory, directories = clean_directories(source_details)
 
       Dependabot::Source.new(