Skip to content

Commit a47c807

Browse files
committed
chore(deps): add 7-day cooldown to dependabot npm updates
Supply-chain defense against compromised npm releases. Recent attacks (typo-squat, account-takeover, post-install scripts) are typically discovered and yanked within hours-to-days; waiting on a registry cool-down before auto-PR gives the community time to react before we ingest the package. Config (applied to all 3 npm ecosystems — root, packages/core, packages/mantine): - default-days: 7 (general cooldown for any version) - semver-minor-days: 7 (minor bumps: full week) - semver-patch-days: 3 (patch bumps: smaller blast radius) GitHub Actions ecosystem intentionally NOT cooldowned — actions are GitHub-verified and majors are already blocked by the ignore policy. Important: security updates BYPASS cooldown (documented in GitHub dependabot config docs). CVE-driven PRs continue to land immediately. This delays only proactive version-update PRs. Modeled after Renovate's `stabilityDays` and common large-org practice.
1 parent 050aa3a commit a47c807

1 file changed

Lines changed: 16 additions & 0 deletions

File tree

.github/dependabot.yml

Lines changed: 16 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -24,6 +24,14 @@ updates:
2424
time: '09:00'
2525
timezone: Asia/Shanghai
2626
open-pull-requests-limit: 5
27+
cooldown:
28+
# Supply-chain defense: don't auto-PR versions that haven't existed
29+
# on the registry for at least this many days. Gives the community
30+
# time to discover and yank compromised releases before we ingest
31+
# them. Security updates BYPASS cooldown (so CVE fixes stay fast).
32+
default-days: 7
33+
semver-minor-days: 7
34+
semver-patch-days: 3
2735
labels:
2836
- dependencies
2937
ignore:
@@ -61,6 +69,10 @@ updates:
6169
time: '09:00'
6270
timezone: Asia/Shanghai
6371
open-pull-requests-limit: 5
72+
cooldown:
73+
default-days: 7
74+
semver-minor-days: 7
75+
semver-patch-days: 3
6476
labels:
6577
- dependencies
6678
- 'scope:core'
@@ -99,6 +111,10 @@ updates:
99111
time: '09:00'
100112
timezone: Asia/Shanghai
101113
open-pull-requests-limit: 5
114+
cooldown:
115+
default-days: 7
116+
semver-minor-days: 7
117+
semver-patch-days: 3
102118
labels:
103119
- dependencies
104120
- 'scope:mantine'

0 commit comments

Comments
 (0)