Skip to content

Enable dependency cooldowns #21245

Description

@david-allison

I'm okay not being flagged for security vulnerabilities in our dependencies, we'll get them no matter what with dependabot runs

One thing I just remembered and I am noting here - it's somewhat standard practice apparently to ask dependabot not to propose any packages newer than 3 days. Why? To avoid ingesting packages that haven't had time for inspection by the wider security community yet. If you let dependabot go with just-published package, you may inadvertently be in the blast radius of a supply chain attack on a dependency that is published but not recognized as malware yet

dependabot has config parameters that can do it and LLMs are successful at making the PRs for same if you have any more of the OSS Claude tokens to burn

Originally posted by @mikehardy in #21038

Metadata

Metadata

Assignees

Labels

No labels
No labels

Type

Fields

Priority

Low

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions