Commit 3cdfcf0
authored
chore: Add Dependabot version-update cooldown (#407)
This pull request was auto generated by the LaunchDarkly Github
Standards automation platform.
* Ensure every entry under `updates` in `.github/dependabot.yml`
declares a cooldown of at least 7 days (default-days).
* Add entries for detected package ecosystems that were not yet tracked
by Dependabot.
Cooldown applies only to version updates; security updates bypass it, so
critical CVE fixes are never delayed.
Ref: SEC-8058.
<!-- CURSOR_SUMMARY -->
---
> [!NOTE]
> **Low Risk**
> Automation-only Dependabot policy change with no application runtime
or security-logic changes.
>
> **Overview**
> Adds a **7-day cooldown** (`default-days: 7`) under both
**github-actions** and **npm** entries in `.github/dependabot.yml`, so
Dependabot still checks daily but waits before opening version-update
PRs for the same dependency.
>
> Also normalizes minor YAML formatting on `updates:` and `schedule:`
(trailing whitespace). Security updates are unchanged and are not
subject to this cooldown.
>
> <sup>Reviewed by [Cursor Bugbot](https://cursor.com/bugbot) for commit
3950a63. Bugbot is set up for automated
code reviews on this repo. Configure
[here](https://www.cursor.com/dashboard/bugbot).</sup>
<!-- /CURSOR_SUMMARY -->
Co-authored-by: ld-repository-standards[bot] <113625520+ld-repository-standards[bot]@users.noreply.github.com>1 parent 16a616a commit 3cdfcf0
1 file changed
Lines changed: 7 additions & 3 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
1 | 1 | | |
2 | | - | |
| 2 | + | |
3 | 3 | | |
4 | 4 | | |
5 | | - | |
| 5 | + | |
6 | 6 | | |
| 7 | + | |
| 8 | + | |
7 | 9 | | |
8 | 10 | | |
9 | | - | |
| 11 | + | |
10 | 12 | | |
| 13 | + | |
| 14 | + | |
0 commit comments