From 31cb60b2e6e4aa81c0979f37017fa7ac2f67b334 Mon Sep 17 00:00:00 2001
From: Justin Gosses <11600445+JustinGOSSES@users.noreply.github.com>
Date: Sat, 9 Aug 2025 00:37:44 -0500
Subject: [PATCH] clean

---
 .../dependency-risk/dependency-risk-README.md    | 16 +++++++---------
 1 file changed, 7 insertions(+), 9 deletions(-)

diff --git a/instructions/dependency-risk/dependency-risk-README.md b/instructions/dependency-risk/dependency-risk-README.md
index 88829c5..c4ca561 100644
--- a/instructions/dependency-risk/dependency-risk-README.md
+++ b/instructions/dependency-risk/dependency-risk-README.md
@@ -1,5 +1,5 @@
 
-# Caution. Not an Instructions file. This is a README meant for human
+# Caution. Not an Instructions file. This is a README meant for humans
 
 ## Introduction to dependency risk instruction files
 
@@ -26,6 +26,7 @@ example of what can be done. You can edit or extend to match your own needs or i
 ### How to use
 
 Copy and paste all four of the instruction files in this directory into your repository's `.github/instructions/` directory.
+Ask Copilot Chat agent mode a question like "What can you tell me about the security and community health of the python package welly?"
 
 Optionally, if you have a new MCP tool or additional API source of information for one of the
 dependency risk categories explore trying to add instructions for how to access it to either the
@@ -133,7 +134,7 @@ can reasonably have different thresholds for what is acceptable risk.
 However, it may still be useful to you if it flags a risk earlier than your
 other tooling that flags one of these risks at pull request time or at build time.
 
-#### What parts of continuous risk can be assessed well with metadata alone?
+#### What parts of continuous risk can be assessed well with publicly available metadata alone as these instructions try to do?
 
 Continuous risks can be thought of as including three partially overlapping categories:
 sustainability risks, quality risks, and security posture risks.
@@ -142,20 +143,17 @@ Sustainability risks can include "Possibly abandoned", "Not enough eyeballs to s
 package and source repository metadata publicly available in 2025 as they are largely activity-based
 and community-based measurements, quality risks and security posture risks often require either
 manual evaluation of the source code or additional scans of the source code itself to assess well.
-Where OpenSSF scorecard data exists, it is surfaced in the dependency risk report for security
+When OpenSSF scorecard data exists, it is surfaced in the dependency risk report for security
 posture information.
 
 ## Example dependency risk report
 
-The following is an example of a dependency risk report generated by these instructions files.
-As the instructions evolve, the report may change to reflect new requirements or formatting guidelines.
-Each of the files has a version number in the header.
-
--------------------------------
+The following is an example of a dependency risk report generated by an earlier version of these
+instruction files.
 
 ### Dependency risk report chat record for python package welly
 
-**Conversation Record**
+-------------------------------
 
 **User:**
 Tell me about the community health and security of python package welly