Skip to content

ci: set 3-day cooldown for Dependabot updates #369

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
flakey5 merged 2 commits into from
Jul 25, 2025
Merged

ci: set 3-day cooldown for Dependabot updates #369

flakey5 merged 2 commits into from
Jul 25, 2025

Conversation

@MattIPv4
Copy link
Member

@MattIPv4 MattIPv4 commented Jul 24, 2025

Description

Reduces the risk from compromised dependency versions by requiring that they've been published for at least three days before Dependabot will update us to them, giving time for maintainers and the community to spot and resolve compromises.

Validation

https://docs.github.com/en/code-security/dependabot/working-with-dependabot/dependabot-options-reference#cooldown-

Related Issues

nodejs/web-team#25

Check List

  • I have read the Contributing Guidelines and made commit messages that follow the guideline.
  • I have run node --run test and all tests passed.
  • I have check code formatting with node --run format & node --run lint.
  • I've covered new added functionality with unit tests if necessary.

Copilot AI review requested due to automatic review settings July 24, 2025 00:41
@MattIPv4 MattIPv4 requested a review from a team as a code owner July 24, 2025 00:41
@vercel
Copy link

vercel bot commented Jul 24, 2025
edited
Loading

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name Status Preview Updated (UTC)
api-docs-tooling ✅ Ready (Inspect) Visit Preview Jul 24, 2025 0:58am

Copilot AI reviewed Jul 24, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

Configures Dependabot to enforce a 3-day cooldown period before updating to newly published dependency versions, enhancing security by allowing time for the community to identify and address potential compromises in fresh releases.

  • Adds cooldown configuration with 3-day default to both GitHub Actions and npm package ecosystems
  • Implements security best practice to reduce risk from compromised dependency versions

@MattIPv4
ci: fix Dependabot format group typo
f1fdaef 
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
@flakey5 flakey5 merged commit f623398 into main Jul 25, 2025
18 checks passed
@flakey5 flakey5 deleted the MattIPv4/dependabot-cooldown branch July 25, 2025 15:19
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@flakey5 flakey5 flakey5 approved these changes

@AugustinMauroy AugustinMauroy AugustinMauroy approved these changes

@bjohansebas bjohansebas bjohansebas approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@MattIPv4 @flakey5 @AugustinMauroy @bjohansebas