security: Delay dependabot updates [TAROT-3707]#4967
Conversation
7 days should be enough when most malicious packages are patched within 24 hours.
Up to standards ✅🟢 Issues
|
There was a problem hiding this comment.
Pull Request Overview
This PR attempts to implement a 7-day delay for Dependabot updates to mitigate risks from malicious packages. However, the implementation is currently non-functional because it uses an invalid configuration key (cooldown).
GitHub Dependabot does not natively support a 'cooldown' or 'delay' parameter in the dependabot.yml schema. Applying this change will result in a validation error within the repository's Dependabot dashboard, and the setting will be ignored, meaning the PR fails to meet its primary security objective.
About this PR
- GitHub Dependabot does not natively support a 'cooldown' or 'delay' feature in the configuration file. This implementation will likely cause a validation error in the GitHub repository's Dependabot dashboard and the setting will be ignored, failing to provide the intended security buffer.
Test suggestions
- Verify that the .github/dependabot.yml file adheres to the official GitHub Dependabot configuration schema.
Prompt proposal for missing tests
Consider implementing these tests if applicable:
1. Verify that the .github/dependabot.yml file adheres to the official GitHub Dependabot configuration schema.
TIP Improve review quality by adding custom instructions
TIP How was this review? Give us feedback
7 days should be enough when most malicious packages are patched within 24 hours.