Skip to content

Commit 5ee1997

Browse files
cailmdaleyclaude
andcommitted
chore: add dependabot.yml — cooldown + grouped monthly bumps
Adds an explicit version-updates policy on top of the security-updates channel that fires automatically since uv.lock landed (#719). Posture is supply-chain conservative: - 14-day cooldown on minor/patch, 30-day on majors (Dependabot won't PR a version until it's been live for that long). Buys a detection window against maintainer-compromise attacks (Shai-Hulud, axios, PyTorch Lightning, …) where malicious versions typically get yanked within hours-to-days. - Monthly schedule + grouped patch/minor — one batched PR, atomic to revert, large enough to actually be reviewed instead of waved through. - Major bumps stay individual (potentially breaking, deserve individual review). - No auto-merge. - github-actions ecosystem also enabled (companion to SHA-pinning the workflows). Cooldown does NOT apply to security updates — those still fire on the CVE-publication timeline, which is the right tradeoff. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
1 parent 166d403 commit 5ee1997

1 file changed

Lines changed: 62 additions & 0 deletions

File tree

.github/dependabot.yml

Lines changed: 62 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,62 @@
1+
# Dependabot config — supply-chain conservative posture.
2+
#
3+
# Why this exists:
4+
# - We now ship a `uv.lock`, so Dependabot's security-updates channel fires
5+
# automatically on GHSAs touching transitive deps. This file adds
6+
# *version-updates* policy on top: routine bumps that don't fall out
7+
# of a security advisory.
8+
# - 2025-2026 has seen a wave of maintainer-compromise attacks across npm
9+
# and PyPI (Shai-Hulud / Mini Shai-Hulud, axios, PyTorch Lightning,
10+
# tj-actions/changed-files, …). The published-to-Dependabot-PR-lag is
11+
# often minutes. Cooldown buys a detection window for free.
12+
#
13+
# Policy:
14+
# - 14-day cooldown on minor/patch (30 days on majors). Anything malicious
15+
# is usually caught and yanked within a few days; the cooldown lets that
16+
# happen before it reaches us.
17+
# - Monthly schedule + grouped patch/minor PRs — one batched PR per month,
18+
# atomic to revert, large enough to actually be reviewed.
19+
# - Major bumps stay as individual PRs (potentially breaking; each
20+
# deserves its own review).
21+
# - No auto-merge anywhere. Lockfile diffs are uninspectable; we eyeball
22+
# the version metadata and source links before merging.
23+
#
24+
# Note: cooldown does NOT apply to security-updates (the GHSA-driven PRs).
25+
# Those still fire on the CVE-publication timeline, which is the right
26+
# tradeoff for shapepipe — fix CVEs fast, but don't auto-merge them either.
27+
28+
version: 2
29+
30+
updates:
31+
# Python dependencies tracked via uv.lock
32+
- package-ecosystem: "uv"
33+
directory: "/"
34+
schedule:
35+
interval: "monthly"
36+
day: "monday"
37+
cooldown:
38+
default-days: 14
39+
semver-major-days: 30
40+
groups:
41+
lockfile-minor-patch:
42+
patterns: ["*"]
43+
update-types: ["minor", "patch"]
44+
open-pull-requests-limit: 3
45+
labels:
46+
- "dependencies"
47+
48+
# GitHub Actions versions (SHA-pinned in workflows; Dependabot proposes
49+
# SHA bumps with the new tag annotated in the PR body).
50+
- package-ecosystem: "github-actions"
51+
directory: "/"
52+
schedule:
53+
interval: "monthly"
54+
cooldown:
55+
default-days: 14
56+
groups:
57+
actions:
58+
patterns: ["*"]
59+
open-pull-requests-limit: 2
60+
labels:
61+
- "dependencies"
62+
- "github-actions"

0 commit comments

Comments
 (0)