Commit a47c807
committed
chore(deps): add 7-day cooldown to dependabot npm updates
Supply-chain defense against compromised npm releases. Recent attacks
(typo-squat, account-takeover, post-install scripts) are typically
discovered and yanked within hours-to-days; waiting on a registry
cool-down before auto-PR gives the community time to react before we
ingest the package.
Config (applied to all 3 npm ecosystems — root, packages/core,
packages/mantine):
- default-days: 7 (general cooldown for any version)
- semver-minor-days: 7 (minor bumps: full week)
- semver-patch-days: 3 (patch bumps: smaller blast radius)
GitHub Actions ecosystem intentionally NOT cooldowned — actions are
GitHub-verified and majors are already blocked by the ignore policy.
Important: security updates BYPASS cooldown (documented in GitHub
dependabot config docs). CVE-driven PRs continue to land immediately.
This delays only proactive version-update PRs.
Modeled after Renovate's `stabilityDays` and common large-org practice.1 parent 050aa3a commit a47c807
1 file changed
Lines changed: 16 additions & 0 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
24 | 24 | | |
25 | 25 | | |
26 | 26 | | |
| 27 | + | |
| 28 | + | |
| 29 | + | |
| 30 | + | |
| 31 | + | |
| 32 | + | |
| 33 | + | |
| 34 | + | |
27 | 35 | | |
28 | 36 | | |
29 | 37 | | |
| |||
61 | 69 | | |
62 | 70 | | |
63 | 71 | | |
| 72 | + | |
| 73 | + | |
| 74 | + | |
| 75 | + | |
64 | 76 | | |
65 | 77 | | |
66 | 78 | | |
| |||
99 | 111 | | |
100 | 112 | | |
101 | 113 | | |
| 114 | + | |
| 115 | + | |
| 116 | + | |
| 117 | + | |
102 | 118 | | |
103 | 119 | | |
104 | 120 | | |
| |||
0 commit comments