tools: exclude @node-core/doc-kit from dependabot cooldown

kxxt · web-flow · commit e0c9637afc47 · 2026-04-20T10:07:57.000Z
`@node-core/doc-kit` is an internal package maintained within the nodejs organization, which is unlikely to be a direct source of supply-chain attack. The cooldown only slow down the propagation of new improvements from doc-kit to Node.js repo and causes surprises. The cooldown should be configured in the `doc-kit` repository instead. Currently there is a 3-day cooldown. Maybe we need to increase that to match the 5-day cooldown used in this repository. This patch excludes `@node-core/doc-kit` from the cooldown. Note that `@node-core/doc-kit` is the only dependency in `tools/doc`. But to be future proof, I did't remove the cooldown directly. PR-URL: nodejs#62775 Reviewed-By: Claudio Wunder <cwunder@gnome.org> Reviewed-By: Xuguang Mei <meixuguang@gmail.com> Reviewed-By: Aviv Keller <me@aviv.sh> Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -52,6 +52,8 @@ updates:
       semver-major-days: 5
       semver-minor-days: 5
       semver-patch-days: 5
+      exclude:
+        - '@node-core/doc-kit'
     commit-message:
       prefix: tools
     open-pull-requests-limit: 10
