Skip to content

Add cooldown configuration for Dependabot#42370

Merged
julien-deramond merged 1 commit into
twbs:mainfrom
coliff:patch-1
Apr 30, 2026
Merged

Add cooldown configuration for Dependabot#42370
julien-deramond merged 1 commit into
twbs:mainfrom
coliff:patch-1

Conversation

@coliff
Copy link
Copy Markdown
Contributor

@coliff coliff commented Apr 29, 2026

Description / Motivation & Context

Worthwhile security improvement which is recommended by several security tools/services.

REF: https://docs.zizmor.sh/audits/#dependabot-cooldown

Type of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Refactoring (non-breaking change)
  • Breaking change (fix or feature that would change existing functionality)

Checklist

  • I have read the contributing guidelines
  • My code follows the code style of the project (using npm run lint)
  • My change introduces changes to the documentation
  • I have updated the documentation accordingly
  • I have added tests to cover my changes
  • All new and existing tests passed

Copilot AI review requested due to automatic review settings April 29, 2026 11:16
Copilot AI reviewed Apr 29, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds a Dependabot “cooldown” window to reduce update churn and improve security posture by spacing out automated dependency update PRs, aligning with external audit guidance.

Changes:

  • Configure cooldown.default-days: 7 for the github-actions Dependabot updates.
  • Configure cooldown.default-days: 7 for the npm Dependabot updates.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@julien-deramond
Copy link
Copy Markdown
Member

julien-deramond commented Apr 29, 2026

I wasn't aware of this feature, thanks for sharing, @coliff 🙏
It looks really interesting. I'll take a closer look, along with the cooldown docs, as soon as I can 🙂

@julien-deramond julien-deramond self-requested a review April 29, 2026 13:06
@julien-deramond julien-deramond merged commit d5f5a4b into twbs:main Apr 30, 2026
16 of 17 checks passed
julien-deramond pushed a commit that referenced this pull request Apr 30, 2026
@coliff @julien-deramond
Add cooldown configuration for Dependabot (#42370)
4dc7927
@coliff coliff deleted the patch-1 branch April 30, 2026 08:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@julien-deramond julien-deramond julien-deramond approved these changes

Assignees

No one assigned

Labels

backport-done backport-to-v6 CI dependencies

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@coliff @julien-deramond