Skip to content

Add cooldown to dependabot actions #52

Description

@freakboy3742

What is the problem or limitation you are having?

Our dependabot configuration currently upgrades all packages to the most recently available versions at the time of publication. This is a potential vector for supply chain attacks, as there's no window for a malicious release to be identified before it is rolled out. Best practice is to add a cooldown period to dependency updates.

Describe the solution you'd like

We should add a 7 day cooldown to our dependabot configuration.

This has already been done to the beeware/.github dependabot configuration. We should make the analogous change to the dependabot configuration in this repository.

Describe alternatives you've considered

Dependabot recently added a default cooldown. However, the issue will still be identified by zizmor (and other auditing tools); and it's better to be explicit rather than implicit.

Additional context

Metadata

Metadata

Assignees

No one assigned

    Labels

    Fields

    No fields configured for issues without a type.

    Projects

    Status
    Ready

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions